Analysis

  • max time kernel
    116s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 20:51 UTC

General

  • Target

    1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe

  • Size

    134KB

  • MD5

    ef7dc6be4eb3b062cea32a16250b4330

  • SHA1

    42e0d5032f4df88c0b386d53b0899ddaec3e93d9

  • SHA256

    1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9d

  • SHA512

    b3df8f230dc6cb74e49445990980f42d2ec0c4f49b5c4786f82e54d0be15939f23993ed2d15d4e8a049f296d5fbfa02825a32271d3e4cd829a6b2af669630cd3

  • SSDEEP

    1536:8DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:iiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
    "C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
      C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:644
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2996
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:964
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2084
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:840

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/172/517.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /172/517.html HTTP/1.1
    From: 133817934981766000
    Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5340`nd{@2:e5h:869d:853f3h8`ci8:hd;i6367;
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Sun, 19 Jan 2025 20:52:43 GMT
    content-length: 114
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/925/53.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /925/53.html HTTP/1.1
    From: 133817934981766000
    Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5340`nd{@2:e5h:869d:853f3h8`ci8:hd;i6367;
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 19 Jan 2025 20:52:53 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=ef39044737e411a4216c7c8b013e2b9e|181.215.176.83|1737319973|1737319973|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/172/517.html
    http
    omsecor.exe
    473 B
    644 B
    6
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/172/517.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/925/53.html
    http
    omsecor.exe
    420 B
    623 B
    5
    5

    HTTP Request

    GET http://ow5dirasuek.com/925/53.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    104 B
    2
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    134KB

    MD5

    877734ddc962cb783fa2cc4a79624d15

    SHA1

    cc589ebfa2c4d447bb1b946c12e7a3722d2c480e

    SHA256

    a264696575c1bd19e11291f117e2b90fd4e8639d07a6d4501ea6d79fbaba002f

    SHA512

    f844b3150b3d689d3c33ca2decbaf7a4d8313e6c81fb116d8ba755c08d452e7106934f90439ea06ec7ccb4ca2f0832bd981d4b6bc9efbfa21f139ea3cb2ebffb

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    134KB

    MD5

    5c78aedf3d3e1e8efc51e93eaac4b50b

    SHA1

    e6feb26edaffea0e54a829c2be6ef8415c779eb0

    SHA256

    d55a84a13f809685c09cfb57c3e8b572da61c7e331c364c4c34d5dbac36548f8

    SHA512

    9fc914f8d46dd947b7c7133c1cf5aa29f64d2374c2437399e3f0f52ccd426cfda9f7161ef2127eef338074588d2d877c16946c678a675bcf5e398253b54e9938

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    134KB

    MD5

    2d7126e599742bea0ff46ad3de4c7ea9

    SHA1

    a51127f12d49c79352959104976dfd9fcb7ed658

    SHA256

    8014f9c7fafc154aa5f7b3af75a0577acc05b9de7963bcd2e5b83f9349a5d832

    SHA512

    6947f45631821ae1e2cac66fa1d85a07b1e352fbfa5eb26cade4efca879c1b9d799f60fb05f097ec4515ff2604b0ea971c6fcef18d041566098267edb068c1f3

  • memory/644-32-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/644-20-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/644-23-0x0000000000230000-0x0000000000254000-memory.dmp

    Filesize

    144KB

  • memory/840-84-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2072-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2072-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2072-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2072-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2072-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2084-82-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2084-75-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2284-36-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2284-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2284-45-0x00000000003A0000-0x00000000003C4000-memory.dmp

    Filesize

    144KB

  • memory/2284-53-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2284-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2284-33-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2396-6-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2396-0-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

  • memory/2996-62-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.