Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 22:34 UTC
Behavioral task
behavioral1
Sample
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
Resource
win7-20240903-en
General
-
Target
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe
-
Size
72KB
-
MD5
63c3eac87a43e1045b78d95d7ec1d2ba
-
SHA1
a7b9d2f39670f3a035484c521487d15d765de400
-
SHA256
2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342
-
SHA512
a5b435c60876ee7d87d1efe719b3d3dab4befa82ab35c899a5730a369ac97ddb7a0709502ce7279f1c2d19eb87b6bb1634631869a5ae8a525d61e78e05f34787
-
SSDEEP
1536:rd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5211H:bdseIOMEZEyFjEOFqTiQm5l/5211H
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 4940 omsecor.exe 3848 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2332 wrote to memory of 4940 2332 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 82 PID 2332 wrote to memory of 4940 2332 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 82 PID 2332 wrote to memory of 4940 2332 2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe 82 PID 4940 wrote to memory of 3848 4940 omsecor.exe 92 PID 4940 wrote to memory of 3848 4940 omsecor.exe 92 PID 4940 wrote to memory of 3848 4940 omsecor.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"C:\Users\Admin\AppData\Local\Temp\2bcbb7ad65019c8d00962baf5de9aa340c0ff69b0e243ab0a9dbebf16e1d6342.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3848
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request67.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /829/620.html HTTP/1.1
From: 133817996924116720
Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5430`nd{@/6e3;g/73`:h23id:;1;i2he1g;/c589
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Sun, 19 Jan 2025 22:35:56 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request145.243.33.3.in-addr.arpaIN PTRResponse145.243.33.3.in-addr.arpaIN PTRa3edc0dabdef92d6dawsglobalacceleratorcom
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /428/500.html HTTP/1.1
From: 133817996924116720
Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5430`nd{@/6e3;g/73`:h23id:;1;i2he1g;/c589
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 19 Jan 2025 22:36:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=684bbb42dfc1ab548d4ab1c4b377aac5|181.215.176.83|1737326166|1737326166|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request229.198.34.52.in-addr.arpaIN PTRResponse229.198.34.52.in-addr.arpaIN PTRec2-52-34-198-229 us-west-2compute amazonawscom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:3.33.243.145:80RequestGET /881/437.html HTTP/1.1
From: 133817997755991913
Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?432/_mcz?.5d2:f.62_9g12hc9:0:h1gd0f:.b478
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Sun, 19 Jan 2025 22:37:20 GMT
content-length: 114
-
260 B 5
-
260 B 5
-
467 B 388 B 6 4
HTTP Request
GET http://mkkuei4kdsz.com/829/620.htmlHTTP Response
200 -
467 B 623 B 6 5
HTTP Request
GET http://ow5dirasuek.com/428/500.htmlHTTP Response
200 -
260 B 5
-
260 B 5
-
375 B 348 B 4 3
HTTP Request
GET http://mkkuei4kdsz.com/881/437.htmlHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
71 B 157 B 1 1
DNS Request
67.31.126.40.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
71 B 127 B 1 1
DNS Request
145.243.33.3.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
-
72 B 135 B 1 1
DNS Request
229.198.34.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD57aa684bca2f474d1490c016504595726
SHA18f7390d9883ea1793c3ea05ef3637bb5de55c868
SHA25657b4bf966900d8f0f3a71c070da4ae4eb65588d2c6757b6e74ab5c91febb0acd
SHA512b3035ecaa111e1d1fa4111f3f43f4b30e0d19b184236f6a321ff654f61e561d939911e90e436c043458e208d76ece71cec608081010412758bfeaa114802751a
-
Filesize
72KB
MD558ce65081b6a648dc2419fbb221ce430
SHA1189db5193552b54de97278ad36ebd4494316f6fb
SHA256b166203eafe8063d3f85ca103b6e7e49411b2a20e46627e8e37e3b7e50d58385
SHA512fc336aa8667e4766ad2b537c9641ec7bd88176744184fa6ff8bd8a44282faebac2f1e37b379a7bda79c6e7e4f924f120529a3cfe2e9439fabf821d9bf1e51ca5