Analysis

  • max time kernel
    115s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 23:24 UTC

General

  • Target

    ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe

  • Size

    96KB

  • MD5

    e5cab32bd5eab5060289bc0ea34f735c

  • SHA1

    737c299f7b86fd4fbcbd0b5c1046f42ec09607c4

  • SHA256

    ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339

  • SHA512

    b6097459627e944cd6924ada9e029a34a439c61a3b48678016703dd15c96f243394ab5d3d47c0e3949eb314c70bb2633865c3927e394801d1a727ffab161d328

  • SSDEEP

    1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:LGs8cd8eXlYairZYqMddH137

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe
    "C:\Users\Admin\AppData\Local\Temp\ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Users\Admin\AppData\Local\Temp\ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe
      C:\Users\Admin\AppData\Local\Temp\ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3628
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4360
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:724
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3116
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 268
                  8⤵
                  • Program crash
                  PID:4404
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 292
              6⤵
              • Program crash
              PID:4552
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 300
          4⤵
          • Program crash
          PID:4708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 264
      2⤵
      • Program crash
      PID:4540
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4496 -ip 4496
    1⤵
      PID:1416
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5036 -ip 5036
      1⤵
        PID:2984
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3628 -ip 3628
        1⤵
          PID:3884
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 724 -ip 724
          1⤵
            PID:2800

          Network

          • flag-us
            DNS
            8.8.8.8.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            8.8.8.8.in-addr.arpa
            IN PTR
            Response
            8.8.8.8.in-addr.arpa
            IN PTR
            dnsgoogle
          • flag-us
            DNS
            lousta.net
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            lousta.net
            IN A
            Response
            lousta.net
            IN A
            193.166.255.171
          • flag-us
            DNS
            209.205.72.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            209.205.72.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            86.49.80.91.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            86.49.80.91.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            140.32.126.40.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            140.32.126.40.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            167.173.78.104.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            167.173.78.104.in-addr.arpa
            IN PTR
            Response
            167.173.78.104.in-addr.arpa
            IN PTR
            a104-78-173-167deploystaticakamaitechnologiescom
          • flag-us
            DNS
            104.219.191.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            104.219.191.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            232.168.11.51.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            232.168.11.51.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            56.163.245.4.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            56.163.245.4.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            206.23.85.13.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            206.23.85.13.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            172.210.232.199.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            172.210.232.199.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            20.49.80.91.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            20.49.80.91.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            mkkuei4kdsz.com
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            mkkuei4kdsz.com
            IN A
            Response
            mkkuei4kdsz.com
            IN A
            3.33.243.145
            mkkuei4kdsz.com
            IN A
            15.197.204.56
          • flag-us
            GET
            http://mkkuei4kdsz.com/224/21.html
            omsecor.exe
            Remote address:
            3.33.243.145:80
            Request
            GET /224/21.html HTTP/1.1
            From: 133819393747309207
            Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>02d_af_96_0d.4c/1c661^c23bc-04c6
            Host: mkkuei4kdsz.com
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            content-type: text/html
            date: Tue, 21 Jan 2025 13:23:58 GMT
            content-length: 114
          • flag-us
            DNS
            145.243.33.3.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            145.243.33.3.in-addr.arpa
            IN PTR
            Response
            145.243.33.3.in-addr.arpa
            IN PTR
            a3edc0dabdef92d6dawsglobalacceleratorcom
          • flag-us
            DNS
            ow5dirasuek.com
            omsecor.exe
            Remote address:
            8.8.8.8:53
            Request
            ow5dirasuek.com
            IN A
            Response
            ow5dirasuek.com
            IN A
            52.34.198.229
          • flag-us
            GET
            http://ow5dirasuek.com/827/650.html
            omsecor.exe
            Remote address:
            52.34.198.229:80
            Request
            GET /827/650.html HTTP/1.1
            From: 133819393747309207
            Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>02d_af_96_0d.4c/1c661^c23bc-04c6
            Host: ow5dirasuek.com
            Connection: Keep-Alive
            Response
            HTTP/1.1 200 OK
            Server: nginx
            Date: Tue, 21 Jan 2025 13:24:08 GMT
            Content-Type: text/html
            Transfer-Encoding: chunked
            Connection: close
            Set-Cookie: btst=0f0d6f49eafd2f0f48d5814482ebe3de|181.215.176.83|1737465848|1737465848|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
            Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
          • flag-us
            DNS
            229.198.34.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            229.198.34.52.in-addr.arpa
            IN PTR
            Response
            229.198.34.52.in-addr.arpa
            IN PTR
            ec2-52-34-198-229 us-west-2compute amazonawscom
          • flag-us
            DNS
            172.214.232.199.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            172.214.232.199.in-addr.arpa
            IN PTR
            Response
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 3.33.243.145:80
            http://mkkuei4kdsz.com/224/21.html
            http
            omsecor.exe
            466 B
            388 B
            6
            4

            HTTP Request

            GET http://mkkuei4kdsz.com/224/21.html

            HTTP Response

            200
          • 52.34.198.229:80
            http://ow5dirasuek.com/827/650.html
            http
            omsecor.exe
            467 B
            631 B
            6
            5

            HTTP Request

            GET http://ow5dirasuek.com/827/650.html

            HTTP Response

            200
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            260 B
            5
          • 193.166.255.171:80
            lousta.net
            omsecor.exe
            156 B
            3
          • 8.8.8.8:53
            8.8.8.8.in-addr.arpa
            dns
            66 B
            90 B
            1
            1

            DNS Request

            8.8.8.8.in-addr.arpa

          • 8.8.8.8:53
            lousta.net
            dns
            omsecor.exe
            56 B
            72 B
            1
            1

            DNS Request

            lousta.net

            DNS Response

            193.166.255.171

          • 8.8.8.8:53
            209.205.72.20.in-addr.arpa
            dns
            72 B
            158 B
            1
            1

            DNS Request

            209.205.72.20.in-addr.arpa

          • 8.8.8.8:53
            86.49.80.91.in-addr.arpa
            dns
            70 B
            145 B
            1
            1

            DNS Request

            86.49.80.91.in-addr.arpa

          • 8.8.8.8:53
            140.32.126.40.in-addr.arpa
            dns
            72 B
            158 B
            1
            1

            DNS Request

            140.32.126.40.in-addr.arpa

          • 8.8.8.8:53
            167.173.78.104.in-addr.arpa
            dns
            73 B
            139 B
            1
            1

            DNS Request

            167.173.78.104.in-addr.arpa

          • 8.8.8.8:53
            104.219.191.52.in-addr.arpa
            dns
            73 B
            147 B
            1
            1

            DNS Request

            104.219.191.52.in-addr.arpa

          • 8.8.8.8:53
            232.168.11.51.in-addr.arpa
            dns
            72 B
            158 B
            1
            1

            DNS Request

            232.168.11.51.in-addr.arpa

          • 8.8.8.8:53
            56.163.245.4.in-addr.arpa
            dns
            71 B
            157 B
            1
            1

            DNS Request

            56.163.245.4.in-addr.arpa

          • 8.8.8.8:53
            206.23.85.13.in-addr.arpa
            dns
            71 B
            145 B
            1
            1

            DNS Request

            206.23.85.13.in-addr.arpa

          • 8.8.8.8:53
            172.210.232.199.in-addr.arpa
            dns
            74 B
            128 B
            1
            1

            DNS Request

            172.210.232.199.in-addr.arpa

          • 8.8.8.8:53
            20.49.80.91.in-addr.arpa
            dns
            70 B
            145 B
            1
            1

            DNS Request

            20.49.80.91.in-addr.arpa

          • 8.8.8.8:53
            mkkuei4kdsz.com
            dns
            omsecor.exe
            61 B
            93 B
            1
            1

            DNS Request

            mkkuei4kdsz.com

            DNS Response

            3.33.243.145
            15.197.204.56

          • 8.8.8.8:53
            145.243.33.3.in-addr.arpa
            dns
            71 B
            127 B
            1
            1

            DNS Request

            145.243.33.3.in-addr.arpa

          • 8.8.8.8:53
            ow5dirasuek.com
            dns
            omsecor.exe
            61 B
            77 B
            1
            1

            DNS Request

            ow5dirasuek.com

            DNS Response

            52.34.198.229

          • 8.8.8.8:53
            229.198.34.52.in-addr.arpa
            dns
            72 B
            135 B
            1
            1

            DNS Request

            229.198.34.52.in-addr.arpa

          • 8.8.8.8:53
            172.214.232.199.in-addr.arpa
            dns
            74 B
            128 B
            1
            1

            DNS Request

            172.214.232.199.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            96KB

            MD5

            360ce3a33c680076b20025ee501bfe02

            SHA1

            508c0c9f4df423a10172f730a82c6e9ec2e8fcef

            SHA256

            ab2c92aa7a475a83613c9ba3393a1f63016feb6fd10e96aa365c6b0eafe8624a

            SHA512

            e6ddc4d87e0bb5e2adfe85724c72881edd8c529bb0bc7164a1ef59af6e468e699f048bc832efb0a7dc26421eea8b9523b5fe9f31f74982cca1a308008037a13a

          • C:\Users\Admin\AppData\Roaming\omsecor.exe

            Filesize

            96KB

            MD5

            9ee8b565267a990277bef46a8dc43dd9

            SHA1

            08e93fd4cfa911bb196f66b828044a9002d307ae

            SHA256

            231c819c8f69b1ad891c72e62529dff9654c9229ecc9172943a7a885d06a2bc4

            SHA512

            d1736477561bcbad128dda4f14821fbdcde079dce74e5097cf1822aa5676146e78a7abbbbcdfcd8032ba8bb317b9efdd5775f0dcf29e7308ea4d6c8b33f21e3c

          • C:\Windows\SysWOW64\omsecor.exe

            Filesize

            96KB

            MD5

            a914ebad03a744edcf1a726d8a4d68ee

            SHA1

            801eda3b189058b074055b592d26995ddb724737

            SHA256

            74553524368e057db36e850da08f26bb8f28519dbabf059752a981460535db49

            SHA512

            0ddce33a723b17a9077c2439af3c28ab0ba44ee6ab8bd56930545736eddcd2d55b4ec8b222aaf821a6d3a59d823d83ed3c2c620f362d001183b0c99648759477

          • memory/724-44-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/1236-1-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1236-2-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1236-3-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/1236-5-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3116-48-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3116-49-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3116-53-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/3628-51-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/3628-31-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/4360-37-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4360-36-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4360-39-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/4496-18-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/4496-0-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/5016-22-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/5016-29-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/5016-26-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/5016-25-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/5016-19-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/5016-15-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/5016-14-0x0000000000400000-0x0000000000429000-memory.dmp

            Filesize

            164KB

          • memory/5036-16-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          • memory/5036-8-0x0000000000400000-0x0000000000423000-memory.dmp

            Filesize

            140KB

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.