Analysis

  • max time kernel
    116s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 20:42 UTC

General

  • Target

    21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe

  • Size

    96KB

  • MD5

    e07d0b15d4e7503500807aa373df6a6a

  • SHA1

    18e97aed437d6caaf333cd4667a10ed235d30ca7

  • SHA256

    21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164

  • SHA512

    a0786f76b4076de6de00be786f57ff949161189a8b69275813e5b0a68b146c98164c5b785e1f824b701d657d3fbb5e25377805376306cfccbbb4ad3386c150d1

  • SSDEEP

    1536:1nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxr:1Gs8cd8eXlYairZYqMddH13r

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe
    "C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe
      C:\Users\Admin\AppData\Local\Temp\21b0a8040e39963d792e841b2fe17492e4a9a8b9f962a8241ed1787839832164.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2396
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1740
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2392
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2192

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    15.197.204.56
    mkkuei4kdsz.com
    IN A
    3.33.243.145
  • flag-us
    GET
    http://mkkuei4kdsz.com/794/53.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /794/53.html HTTP/1.1
    From: 133817929747762000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=/7b2e7536a7520c0e5]`f57ea8f30348
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Sun, 19 Jan 2025 20:43:59 GMT
    content-length: 114
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/498/202.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /498/202.html HTTP/1.1
    From: 133817929747762000
    Via: ckmfeqmZqer<7,4^_nda<5Zoan`m900,/0/1^kr=201-]kax=/7b2e7536a7520c0e5]`f57ea8f30348
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 19 Jan 2025 20:44:09 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=40ce73925a434c8a9aa4899bbdfec684|181.215.176.83|1737319449|1737319449|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/794/53.html
    http
    omsecor.exe
    472 B
    644 B
    6
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/794/53.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/498/202.html
    http
    omsecor.exe
    421 B
    623 B
    5
    5

    HTTP Request

    GET http://ow5dirasuek.com/498/202.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    104 B
    2
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    15.197.204.56
    3.33.243.145

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    1228cbb817eccdc3ecd8405cf15beee9

    SHA1

    ecb895cb6ef42d30e1ee5f76d8195ff3ba60a8a1

    SHA256

    e37fd897f667c4c8f1c32b2988402cd78a63acd17afccd5d4b3735eb210dfbeb

    SHA512

    dfa7539bc7c35c730ec2216919d65582b0c5708fc8a94df6066c1eddd7f875c8d18300499ecf5df74e63f8ab14ff9fc11366e075301ddf8896423c1aae05c4c6

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    d64c34ffbbeb541e3c3fc0340e3166af

    SHA1

    332b43553f1a8746d297941f49d675db42715d2a

    SHA256

    584121e71c419a3f315ffb3f5b523180e73093ea2efffea72ecac7a44d79edcc

    SHA512

    ef3fa5aa5471f24cef866c7cd5b369c218fc239b4a390d38f8f91d5cb420cdf0cf71b4a210e4466a98fb0ee9bf5f1a4d17d759daecd758610c9f8e17432e0136

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    332110932eff27e6086e710c31fed743

    SHA1

    0fa73f650be1e972dcd064d26def827605ec4359

    SHA256

    5d02bf9f597ca07477cf1aee95ad9cd0610c0321d6792227f0eefef176a2be16

    SHA512

    efc99b9685f5ce136ac5fac8a7ab02b08ab1fe343410ee57bb60bd49432285df37bffa6e854394dc57a4d58060123e6d2f1fa0add08beb73887dd2df5a738476

  • memory/1740-70-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2192-88-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2392-78-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2392-85-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2396-65-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2816-21-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2816-30-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2856-20-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2856-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2856-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2856-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2856-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2876-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2876-7-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2956-34-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2956-55-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2956-46-0x00000000003B0000-0x00000000003D3000-memory.dmp

    Filesize

    140KB

  • memory/2956-43-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2956-40-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2956-37-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.