Analysis
-
max time kernel
116s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 20:51 UTC
Static task
static1
Behavioral task
behavioral1
Sample
1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
Resource
win7-20241010-en
General
-
Target
1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe
-
Size
134KB
-
MD5
ef7dc6be4eb3b062cea32a16250b4330
-
SHA1
42e0d5032f4df88c0b386d53b0899ddaec3e93d9
-
SHA256
1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9d
-
SHA512
b3df8f230dc6cb74e49445990980f42d2ec0c4f49b5c4786f82e54d0be15939f23993ed2d15d4e8a049f296d5fbfa02825a32271d3e4cd829a6b2af669630cd3
-
SSDEEP
1536:8DfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiH:iiRTeH0iqAW6J6f1tqF6dngNmaZCiaI
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 644 omsecor.exe 2284 omsecor.exe 2996 omsecor.exe 964 omsecor.exe 2084 omsecor.exe 840 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2072 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 2072 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 644 omsecor.exe 2284 omsecor.exe 2284 omsecor.exe 964 omsecor.exe 964 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2396 set thread context of 2072 2396 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 29 PID 644 set thread context of 2284 644 omsecor.exe 31 PID 2996 set thread context of 964 2996 omsecor.exe 34 PID 2084 set thread context of 840 2084 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2072 2396 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 29 PID 2396 wrote to memory of 2072 2396 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 29 PID 2396 wrote to memory of 2072 2396 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 29 PID 2396 wrote to memory of 2072 2396 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 29 PID 2396 wrote to memory of 2072 2396 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 29 PID 2396 wrote to memory of 2072 2396 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 29 PID 2072 wrote to memory of 644 2072 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 30 PID 2072 wrote to memory of 644 2072 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 30 PID 2072 wrote to memory of 644 2072 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 30 PID 2072 wrote to memory of 644 2072 1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe 30 PID 644 wrote to memory of 2284 644 omsecor.exe 31 PID 644 wrote to memory of 2284 644 omsecor.exe 31 PID 644 wrote to memory of 2284 644 omsecor.exe 31 PID 644 wrote to memory of 2284 644 omsecor.exe 31 PID 644 wrote to memory of 2284 644 omsecor.exe 31 PID 644 wrote to memory of 2284 644 omsecor.exe 31 PID 2284 wrote to memory of 2996 2284 omsecor.exe 33 PID 2284 wrote to memory of 2996 2284 omsecor.exe 33 PID 2284 wrote to memory of 2996 2284 omsecor.exe 33 PID 2284 wrote to memory of 2996 2284 omsecor.exe 33 PID 2996 wrote to memory of 964 2996 omsecor.exe 34 PID 2996 wrote to memory of 964 2996 omsecor.exe 34 PID 2996 wrote to memory of 964 2996 omsecor.exe 34 PID 2996 wrote to memory of 964 2996 omsecor.exe 34 PID 2996 wrote to memory of 964 2996 omsecor.exe 34 PID 2996 wrote to memory of 964 2996 omsecor.exe 34 PID 964 wrote to memory of 2084 964 omsecor.exe 35 PID 964 wrote to memory of 2084 964 omsecor.exe 35 PID 964 wrote to memory of 2084 964 omsecor.exe 35 PID 964 wrote to memory of 2084 964 omsecor.exe 35 PID 2084 wrote to memory of 840 2084 omsecor.exe 36 PID 2084 wrote to memory of 840 2084 omsecor.exe 36 PID 2084 wrote to memory of 840 2084 omsecor.exe 36 PID 2084 wrote to memory of 840 2084 omsecor.exe 36 PID 2084 wrote to memory of 840 2084 omsecor.exe 36 PID 2084 wrote to memory of 840 2084 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe"C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exeC:\Users\Admin\AppData\Local\Temp\1f1293bd222c0a16c43cf639f58a2a3fff4a485f0da6b3aad75d8b856427ff9dN.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:840
-
-
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /172/517.html HTTP/1.1
From: 133817934981766000
Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5340`nd{@2:e5h:869d:853f3h8`ci8:hd;i6367;
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Sun, 19 Jan 2025 20:52:43 GMT
content-length: 114
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /925/53.html HTTP/1.1
From: 133817934981766000
Via: fnpihtp]thu?:/7abqgd?8]rdqcp<33/2324anu@5340`nd{@2:e5h:869d:853f3h8`ci8:hd;i6367;
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Sun, 19 Jan 2025 20:52:53 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=ef39044737e411a4216c7c8b013e2b9e|181.215.176.83|1737319973|1737319973|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
152 B 3
-
152 B 3
-
473 B 644 B 6 5
HTTP Request
GET http://mkkuei4kdsz.com/172/517.htmlHTTP Response
200 -
420 B 623 B 5 5
HTTP Request
GET http://ow5dirasuek.com/925/53.htmlHTTP Response
200 -
152 B 3
-
104 B 2
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5877734ddc962cb783fa2cc4a79624d15
SHA1cc589ebfa2c4d447bb1b946c12e7a3722d2c480e
SHA256a264696575c1bd19e11291f117e2b90fd4e8639d07a6d4501ea6d79fbaba002f
SHA512f844b3150b3d689d3c33ca2decbaf7a4d8313e6c81fb116d8ba755c08d452e7106934f90439ea06ec7ccb4ca2f0832bd981d4b6bc9efbfa21f139ea3cb2ebffb
-
Filesize
134KB
MD55c78aedf3d3e1e8efc51e93eaac4b50b
SHA1e6feb26edaffea0e54a829c2be6ef8415c779eb0
SHA256d55a84a13f809685c09cfb57c3e8b572da61c7e331c364c4c34d5dbac36548f8
SHA5129fc914f8d46dd947b7c7133c1cf5aa29f64d2374c2437399e3f0f52ccd426cfda9f7161ef2127eef338074588d2d877c16946c678a675bcf5e398253b54e9938
-
Filesize
134KB
MD52d7126e599742bea0ff46ad3de4c7ea9
SHA1a51127f12d49c79352959104976dfd9fcb7ed658
SHA2568014f9c7fafc154aa5f7b3af75a0577acc05b9de7963bcd2e5b83f9349a5d832
SHA5126947f45631821ae1e2cac66fa1d85a07b1e352fbfa5eb26cade4efca879c1b9d799f60fb05f097ec4515ff2604b0ea971c6fcef18d041566098267edb068c1f3