Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 07:27
Behavioral task
behavioral1
Sample
1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
Resource
win7-20240903-en
General
-
Target
1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe
-
Size
61KB
-
MD5
09534757f4b64fd024a45cc653752a8e
-
SHA1
56d4789246d617c29d058c8a2cff3ddc32e7394c
-
SHA256
1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7
-
SHA512
7deee7ad0d96210149ee8fcdaeacc10403dcd735518bddc58bb5499eea4e47f2514d3ce1b07b61a65fb0cb8165760318bd1494c729434e6a5267ac67652892be
-
SSDEEP
1536:cd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZjl/5C:kdseIOMEZEyFjEOFqTiQmxl/5C
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 4896 omsecor.exe 4376 omsecor.exe 2088 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4024 wrote to memory of 4896 4024 1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe 83 PID 4024 wrote to memory of 4896 4024 1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe 83 PID 4024 wrote to memory of 4896 4024 1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe 83 PID 4896 wrote to memory of 4376 4896 omsecor.exe 100 PID 4896 wrote to memory of 4376 4896 omsecor.exe 100 PID 4896 wrote to memory of 4376 4896 omsecor.exe 100 PID 4376 wrote to memory of 2088 4376 omsecor.exe 101 PID 4376 wrote to memory of 2088 4376 omsecor.exe 101 PID 4376 wrote to memory of 2088 4376 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe"C:\Users\Admin\AppData\Local\Temp\1d160ca7730d6deacfdd01f2e19529ff93500b90374ba59d8faa5df960ae2da7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD57caca308a09eecc9776150a76ff1d316
SHA16b0d1f091dccbf654530c3cf4d077a9b30d493b8
SHA25693307e703260c21613cb5505026ce9e24569e7ada425215e9dd6b5832933789e
SHA5128d88be50caad1a05435af3a45f9653401d95268c650c811dc76da16ab358550f88b5325e64812d063daac40f32c6166c042c5dc8f6aa9a6c04ae60845340e87c
-
Filesize
61KB
MD526db7c016a583f578811e13cedcfdcbf
SHA1aa7bb664a2e55869765012aa3ec2b7256ec1c850
SHA256838f89384c7a5227e11a466791d2f391aec92c40aa26792f6cd28e8609c61551
SHA512500921f79da5706064559cd9fd1cfd9f0903df328d53e4e54def91608b54d82c71478765937d6d7a1b9e2516adb063423493b7dbfdf7a7fc6b46767cf0485a8f
-
Filesize
61KB
MD50d4b442a5d7ebbfbb76bc74de55d1c9c
SHA1ee9c618361708f0bb4e68c637da3d88ab72488f6
SHA2562d414ba438b890a73303167cfeaa9a5bcc4a959bd9535c821dd78d5c29e86594
SHA512607cc52fb24be6cba53e900521bd00a0d7da5b503b080cdb187caf8aaef1e485a9e6cf65e769d3c1204a191a552de360b7cd179aacb8683060cee9a6047769a9