Analysis
-
max time kernel
116s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 20:42 UTC
Static task
static1
Behavioral task
behavioral1
Sample
21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe
Resource
win7-20241010-en
General
-
Target
21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe
-
Size
96KB
-
MD5
e07d0b15d4e7503500807aa373df6a6a
-
SHA1
18e97aed437d6caaf333cd4667a10ed235d30ca7
-
SHA256
21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164
-
SHA512
a0786f76b4076de6de00be786f57ff949161189a8b69275813e5b0a68b146c98164c5b785e1f824b701d657d3fbb5e25377805376306cfccbbb4ad3386c150d1
-
SSDEEP
1536:1nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:1Gs8cd8eXlYairZYqMddH13r
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2816 omsecor.exe 2956 omsecor.exe 2396 omsecor.exe 1740 omsecor.exe 2392 omsecor.exe 2192 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2856 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 2856 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 2816 omsecor.exe 2956 omsecor.exe 2956 omsecor.exe 1740 omsecor.exe 1740 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2876 set thread context of 2856 2876 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 30 PID 2816 set thread context of 2956 2816 omsecor.exe 32 PID 2396 set thread context of 1740 2396 omsecor.exe 36 PID 2392 set thread context of 2192 2392 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2856 2876 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 30 PID 2876 wrote to memory of 2856 2876 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 30 PID 2876 wrote to memory of 2856 2876 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 30 PID 2876 wrote to memory of 2856 2876 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 30 PID 2876 wrote to memory of 2856 2876 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 30 PID 2876 wrote to memory of 2856 2876 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 30 PID 2856 wrote to memory of 2816 2856 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 31 PID 2856 wrote to memory of 2816 2856 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 31 PID 2856 wrote to memory of 2816 2856 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 31 PID 2856 wrote to memory of 2816 2856 21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe 31 PID 2816 wrote to memory of 2956 2816 omsecor.exe 32 PID 2816 wrote to memory of 2956 2816 omsecor.exe 32 PID 2816 wrote to memory of 2956 2816 omsecor.exe 32 PID 2816 wrote to memory of 2956 2816 omsecor.exe 32 PID 2816 wrote to memory of 2956 2816 omsecor.exe 32 PID 2816 wrote to memory of 2956 2816 omsecor.exe 32 PID 2956 wrote to memory of 2396 2956 omsecor.exe 35 PID 2956 wrote to memory of 2396 2956 omsecor.exe 35 PID 2956 wrote to memory of 2396 2956 omsecor.exe 35 PID 2956 wrote to memory of 2396 2956 omsecor.exe 35 PID 2396 wrote to memory of 1740 2396 omsecor.exe 36 PID 2396 wrote to memory of 1740 2396 omsecor.exe 36 PID 2396 wrote to memory of 1740 2396 omsecor.exe 36 PID 2396 wrote to memory of 1740 2396 omsecor.exe 36 PID 2396 wrote to memory of 1740 2396 omsecor.exe 36 PID 2396 wrote to memory of 1740 2396 omsecor.exe 36 PID 1740 wrote to memory of 2392 1740 omsecor.exe 37 PID 1740 wrote to memory of 2392 1740 omsecor.exe 37 PID 1740 wrote to memory of 2392 1740 omsecor.exe 37 PID 1740 wrote to memory of 2392 1740 omsecor.exe 37 PID 2392 wrote to memory of 2192 2392 omsecor.exe 38 PID 2392 wrote to memory of 2192 2392 omsecor.exe 38 PID 2392 wrote to memory of 2192 2392 omsecor.exe 38 PID 2392 wrote to memory of 2192 2392 omsecor.exe 38 PID 2392 wrote to memory of 2192 2392 omsecor.exe 38 PID 2392 wrote to memory of 2192 2392 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe"C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exeC:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A15.197.204.56mkkuei4kdsz.comIN A3.33.243.145
-
Remote address:15.197.204.56:80RequestGET /794/53.html HTTP/1.1
From: 133817929747762000
Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=/7b2e7536a7520c0e5]`f57ea8f30348
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Sun, 19 Jan 2025 20:43:59 GMT
content-length: 114
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /498/202.html HTTP/1.1
From: 133817929747762000
Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=/7b2e7536a7520c0e5]`f57ea8f30348
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 19 Jan 2025 20:44:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=40ce73925a434c8a9aa4899bbdfec684|181.215.176.83|1737319449|1737319449|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
152 B 3
-
152 B 3
-
472 B 644 B 6 5
HTTP Request
GET http://mkkuei4kdsz.com/794/53.htmlHTTP Response
200 -
421 B 623 B 5 5
HTTP Request
GET http://ow5dirasuek.com/498/202.htmlHTTP Response
200 -
152 B 3
-
104 B 2
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
15.197.204.563.33.243.145
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD51228cbb817eccdc3ecd8405cf15beee9
SHA1ecb895cb6ef42d30e1ee5f76d8195ff3ba60a8a1
SHA256e37fd897f667c4c8f1c32b2988402cd78a63acd17afccd5d4b3735eb210dfbeb
SHA512dfa7539bc7c35c730ec2216919d65582b0c5708fc8a94df6066c1eddd7f875c8d18300499ecf5df74e63f8ab14ff9fc11366e075301ddf8896423c1aae05c4c6
-
Filesize
96KB
MD5d64c34ffbbeb541e3c3fc0340e3166af
SHA1332b43553f1a8746d297941f49d675db42715d2a
SHA256584121e71c419a3f315ffb3f5b523180e73093ea2efffea72ecac7a44d79edcc
SHA512ef3fa5aa5471f24cef866c7cd5b369c218fc239b4a390d38f8f91d5cb420cdf0cf71b4a210e4466a98fb0ee9bf5f1a4d17d759daecd758610c9f8e17432e0136
-
Filesize
96KB
MD5332110932eff27e6086e710c31fed743
SHA10fa73f650be1e972dcd064d26def827605ec4359
SHA2565d02bf9f597ca07477cf1aee95ad9cd0610c0321d6792227f0eefef176a2be16
SHA512efc99b9685f5ce136ac5fac8a7ab02b08ab1fe343410ee57bb60bd49432285df37bffa6e854394dc57a4d58060123e6d2f1fa0add08beb73887dd2df5a738476