Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 22:34 UTC

General

  • Target

    2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe

  • Size

    72KB

  • MD5

    63c3eac87a43e1045b78d95d7ec1d2ba

  • SHA1

    a7b9d2f39670f3a035484c521487d15d765de400

  • SHA256

    2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342

  • SHA512

    a5b435c60876ee7d87d1efe719b3d3dab4befa82ab35c899a5730a369ac97ddb7a0709502ce7279f1c2d19eb87b6bb1634631869a5ae8a525d61e78e05f34787

  • SSDEEP

    1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211H:bdseIOMEZEyFjEOFqTiQm5l/5211H

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
    "C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:3848

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/829/620.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /829/620.html HTTP/1.1
    From: 133817996924116720
    Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5430`nd{@/6e3;g/73`:h23id:;1;i2he1g;/c589
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Sun, 19 Jan 2025 22:35:56 GMT
    content-length: 114
  • flag-us
    DNS
    145.243.33.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.243.33.3.in-addr.arpa
    IN PTR
    Response
    145.243.33.3.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/428/500.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /428/500.html HTTP/1.1
    From: 133817996924116720
    Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5430`nd{@/6e3;g/73`:h23id:;1;i2he1g;/c589
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 19 Jan 2025 22:36:06 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=684bbb42dfc1ab548d4ab1c4b377aac5|181.215.176.83|1737326166|1737326166|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    229.198.34.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.198.34.52.in-addr.arpa
    IN PTR
    Response
    229.198.34.52.in-addr.arpa
    IN PTR
    ec2-52-34-198-229 us-west-2compute amazonawscom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://mkkuei4kdsz.com/881/437.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /881/437.html HTTP/1.1
    From: 133817997755991913
    Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?.5d2:f.62_9g12hc9:0:h1gd0f:.b478
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Sun, 19 Jan 2025 22:37:20 GMT
    content-length: 114
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/829/620.html
    http
    omsecor.exe
    467 B
    388 B
    6
    4

    HTTP Request

    GET http://mkkuei4kdsz.com/829/620.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/428/500.html
    http
    omsecor.exe
    467 B
    623 B
    6
    5

    HTTP Request

    GET http://ow5dirasuek.com/428/500.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/881/437.html
    http
    omsecor.exe
    375 B
    348 B
    4
    3

    HTTP Request

    GET http://mkkuei4kdsz.com/881/437.html

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    145.243.33.3.in-addr.arpa
    dns
    71 B
    127 B
    1
    1

    DNS Request

    145.243.33.3.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

  • 8.8.8.8:53
    229.198.34.52.in-addr.arpa
    dns
    72 B
    135 B
    1
    1

    DNS Request

    229.198.34.52.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    72KB

    MD5

    7aa684bca2f474d1490c016504595726

    SHA1

    8f7390d9883ea1793c3ea05ef3637bb5de55c868

    SHA256

    57b4bf966900d8f0f3a71c070da4ae4eb65588d2c6757b6e74ab5c91febb0acd

    SHA512

    b3035ecaa111e1d1fa4111f3f43f4b30e0d19b184236f6a321ff654f61e561d939911e90e436c043458e208d76ece71cec608081010412758bfeaa114802751a

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    72KB

    MD5

    58ce65081b6a648dc2419fbb221ce430

    SHA1

    189db5193552b54de97278ad36ebd4494316f6fb

    SHA256

    b166203eafe8063d3f85ca103b6e7e49411b2a20e46627e8e37e3b7e50d58385

    SHA512

    fc336aa8667e4766ad2b537c9641ec7bd88176744184fa6ff8bd8a44282faebac2f1e37b379a7bda79c6e7e4f924f120529a3cfe2e9439fabf821d9bf1e51ca5

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.