Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:16 UTC
Behavioral task
behavioral1
Sample
adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe
Resource
win7-20241010-en
General
-
Target
adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe
-
Size
61KB
-
MD5
5cece95a926ddd025e3a97cf5a13f044
-
SHA1
0dec504f3b3526292722672d8105e1a90e7cb246
-
SHA256
adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1
-
SHA512
fbe55158701e977c27f2c65c839554399b8413ffaa61b12df70cfae4aa6643025db412ca7b5bcae2e28c7b4e091bcfbdfdebc80459070b44ed8692fec947055f
-
SSDEEP
1536:hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ1l/5:RdseIOMEZEyFjEOFqTiQmXl/5
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1856 omsecor.exe 316 omsecor.exe 1108 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3616 wrote to memory of 1856 3616 adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe 82 PID 3616 wrote to memory of 1856 3616 adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe 82 PID 3616 wrote to memory of 1856 3616 adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe 82 PID 1856 wrote to memory of 316 1856 omsecor.exe 92 PID 1856 wrote to memory of 316 1856 omsecor.exe 92 PID 1856 wrote to memory of 316 1856 omsecor.exe 92 PID 316 wrote to memory of 1108 316 omsecor.exe 93 PID 316 wrote to memory of 1108 316 omsecor.exe 93 PID 316 wrote to memory of 1108 316 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe"C:\Users\Admin\AppData\Local\Temp\adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1108
-
-
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.153.16.2.in-addr.arpaIN PTRResponse8.153.16.2.in-addr.arpaIN PTRa2-16-153-8deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /264/373.html HTTP/1.1
From: 133819249614169755
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+68\b0/.40533b23`7ab1`24-2`_c0a7
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Tue, 21 Jan 2025 09:23:45 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request145.243.33.3.in-addr.arpaIN PTRResponse145.243.33.3.in-addr.arpaIN PTRa3edc0dabdef92d6dawsglobalacceleratorcom
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /867/2.html HTTP/1.1
From: 133819249614169755
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+68\b0/.40533b23`7ab1`24-2`_c0a7
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 21 Jan 2025 09:23:55 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=9f428b79f788ea8d42dd5d7dc706d518|181.215.176.83|1737451435|1737451435|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request229.198.34.52.in-addr.arpaIN PTRResponse229.198.34.52.in-addr.arpaIN PTRec2-52-34-198-229 us-west-2compute amazonawscom
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:3.33.243.145:80RequestGET /572/366.html HTTP/1.1
From: 133819249614169755
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+68\b0/.40533b23`7ab1`24-2`_c0a7
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Tue, 21 Jan 2025 09:25:08 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request66.112.168.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
513 B 428 B 7 5
HTTP Request
GET http://mkkuei4kdsz.com/264/373.htmlHTTP Response
200 -
465 B 631 B 6 5
HTTP Request
GET http://ow5dirasuek.com/867/2.htmlHTTP Response
200 -
260 B 5
-
260 B 5
-
375 B 348 B 4 3
HTTP Request
GET http://mkkuei4kdsz.com/572/366.htmlHTTP Response
200
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
8.153.16.2.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
71 B 127 B 1 1
DNS Request
145.243.33.3.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
-
72 B 135 B 1 1
DNS Request
229.198.34.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
66.112.168.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5b7491624d961138f59cde69239cbd98f
SHA14da8275190345efdf25e9130cbefc5522742bf66
SHA256245d8271fd091c46c7f659e50684cc054e381c3ad99bd3167b89dd119cec7f87
SHA512582474617ae247582459518fa4bf08657d673bcdf4c088953eee95c009f5cbd5a74e341050c42eff210bd3402c66de9f812f4ab1dd8b5ff9fb63ed2e84effcdd
-
Filesize
61KB
MD576a3cb5b776b0ca47bdf4209507bb557
SHA1c342a00daa71aa1e22782bea375747092b221f47
SHA2567e605a2b4b368d47b085546d08385f561a6cb12f722ff325f20455972c6b7a9a
SHA512d01e48a137b01ffe087ba63a7acfdd0dd14ca114ddbe60189d4bf9623cb48847474247ae426145ce2002397f598f5c35650d8ba6087b8a0cdb3c2e46222eecb2
-
Filesize
61KB
MD526af68364f15b2a7fbb75d1336ce9e6f
SHA1c5a7b9a758998bc70ab3662a31ff8e55ca8f2640
SHA2565cba6344b17bfb89e47a809efca3ec0618623dde714ceebd72e3435b7e4dced7
SHA51295140ffe40d586a286fdcf8bc92072abe0017b2ab04634d2f50693e8403335f0e5799670537451342f35932da585fbc940fa20c1b4f2f06e6ac45236a2c49a55