Analysis
-
max time kernel
116s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 08:04
Behavioral task
behavioral1
Sample
c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
Resource
win7-20240903-en
General
-
Target
c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe
-
Size
80KB
-
MD5
6b1d0da3d634c4d601247ec73c3a1046
-
SHA1
592151cc1d7029baf7a15ec4545e893142176130
-
SHA256
c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590
-
SHA512
915ab92bd344117e9eb74b8ec78cce6ec7c9a05e0341d8acedf12eb2bcd75865c3fa5aa4a27355845d5afd3a5dea298ce4e24732ef0ec673f5047328a440e695
-
SSDEEP
1536:ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwzh:NdseIOMEZEyFjEOFqTiQmOl/5xPvwt
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 3092 omsecor.exe 964 omsecor.exe 5104 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3436 wrote to memory of 3092 3436 c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe 83 PID 3436 wrote to memory of 3092 3436 c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe 83 PID 3436 wrote to memory of 3092 3436 c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe 83 PID 3092 wrote to memory of 964 3092 omsecor.exe 101 PID 3092 wrote to memory of 964 3092 omsecor.exe 101 PID 3092 wrote to memory of 964 3092 omsecor.exe 101 PID 964 wrote to memory of 5104 964 omsecor.exe 102 PID 964 wrote to memory of 5104 964 omsecor.exe 102 PID 964 wrote to memory of 5104 964 omsecor.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe"C:\Users\Admin\AppData\Local\Temp\c35fdcce61d0b56b993c3e8bb495ea0c8f51f43ab39f30bfd7f629eaf3a2d590.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5104
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5108095cdfc65606b63e302b53c055efa
SHA1b049b6c01133e01f6a22f1dd5f7d5ac2f031c4b0
SHA2561f4a040ec185dd06add5f49873ab02fe77fc4de8648db2e7f184c74c761ce457
SHA512136f4c96d4882e71d9c17834b6b5ed18530eb2848cbcf48e1286b259ed4229fa88c7173938b0cf236894ce14934fa782906adf19f133628a109785fc9ed3b8a7
-
Filesize
80KB
MD52a08d7ecbb2a8d696a895307850a24c4
SHA1f337721b2f100203a098539c01379d00cc8d5714
SHA2567175449f16e839030a1343ccfa8d9704151228a7558b83dc2d8df8b2a31a1d40
SHA5123b4901b0a61a9cf2ea2c71f3f35b977f5b27a9970a351487f1e4c09d175693f0c97b1499adaed10e1e999de19fbdd99f3f5defea7e7fbcd55f7cf9d687d6f898
-
Filesize
80KB
MD566a652c863ca45f3cc18a15b884746c6
SHA1912fa866fe39b983b08f1fb9d7366b6e476df350
SHA25612d1184e3f8d44275a5844a5604d6c116d321bfd0804287e816410ecaed8e045
SHA512c5d79b8561454af96204bc54ac6b57dc2359f7c9db1bf8d83af1d36a1ac11e04b1280624960d6ddb8b3ce7029e698cadc18ff1db46965941d9336b8c0be2413e