Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 09:16 UTC

General

  • Target

    adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe

  • Size

    61KB

  • MD5

    5cece95a926ddd025e3a97cf5a13f044

  • SHA1

    0dec504f3b3526292722672d8105e1a90e7cb246

  • SHA256

    adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1

  • SHA512

    fbe55158701e977c27f2c65c839554399b8413ffaa61b12df70cfae4aa6643025db412ca7b5bcae2e28c7b4e091bcfbdfdebc80459070b44ed8692fec947055f

  • SSDEEP

    1536:hd9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZ1l/5:RdseIOMEZEyFjEOFqTiQmXl/5

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe
    "C:\Users\Admin\AppData\Local\Temp\adf89b423ff93c7c6d744feccf8c23313e7a6af8e456458e4f38a0b37befeed1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1108

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/264/373.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /264/373.html HTTP/1.1
    From: 133819249614169755
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+68\b0/.40533b23`7ab1`24-2`_c0a7
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 21 Jan 2025 09:23:45 GMT
    content-length: 114
  • flag-us
    DNS
    145.243.33.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.243.33.3.in-addr.arpa
    IN PTR
    Response
    145.243.33.3.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/867/2.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /867/2.html HTTP/1.1
    From: 133819249614169755
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+68\b0/.40533b23`7ab1`24-2`_c0a7
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 21 Jan 2025 09:23:55 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=9f428b79f788ea8d42dd5d7dc706d518|181.215.176.83|1737451435|1737451435|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    229.198.34.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.198.34.52.in-addr.arpa
    IN PTR
    Response
    229.198.34.52.in-addr.arpa
    IN PTR
    ec2-52-34-198-229 us-west-2compute amazonawscom
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    http://mkkuei4kdsz.com/572/366.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /572/366.html HTTP/1.1
    From: 133819249614169755
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<+68\b0/.40533b23`7ab1`24-2`_c0a7
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 21 Jan 2025 09:25:08 GMT
    content-length: 114
  • flag-us
    DNS
    66.112.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    66.112.168.52.in-addr.arpa
    IN PTR
    Response
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/264/373.html
    http
    omsecor.exe
    513 B
    428 B
    7
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/264/373.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/867/2.html
    http
    omsecor.exe
    465 B
    631 B
    6
    5

    HTTP Request

    GET http://ow5dirasuek.com/867/2.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/572/366.html
    http
    omsecor.exe
    375 B
    348 B
    4
    3

    HTTP Request

    GET http://mkkuei4kdsz.com/572/366.html

    HTTP Response

    200
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    145.243.33.3.in-addr.arpa
    dns
    71 B
    127 B
    1
    1

    DNS Request

    145.243.33.3.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

  • 8.8.8.8:53
    229.198.34.52.in-addr.arpa
    dns
    72 B
    135 B
    1
    1

    DNS Request

    229.198.34.52.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    66.112.168.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    66.112.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    b7491624d961138f59cde69239cbd98f

    SHA1

    4da8275190345efdf25e9130cbefc5522742bf66

    SHA256

    245d8271fd091c46c7f659e50684cc054e381c3ad99bd3167b89dd119cec7f87

    SHA512

    582474617ae247582459518fa4bf08657d673bcdf4c088953eee95c009f5cbd5a74e341050c42eff210bd3402c66de9f812f4ab1dd8b5ff9fb63ed2e84effcdd

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    61KB

    MD5

    76a3cb5b776b0ca47bdf4209507bb557

    SHA1

    c342a00daa71aa1e22782bea375747092b221f47

    SHA256

    7e605a2b4b368d47b085546d08385f561a6cb12f722ff325f20455972c6b7a9a

    SHA512

    d01e48a137b01ffe087ba63a7acfdd0dd14ca114ddbe60189d4bf9623cb48847474247ae426145ce2002397f598f5c35650d8ba6087b8a0cdb3c2e46222eecb2

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    61KB

    MD5

    26af68364f15b2a7fbb75d1336ce9e6f

    SHA1

    c5a7b9a758998bc70ab3662a31ff8e55ca8f2640

    SHA256

    5cba6344b17bfb89e47a809efca3ec0618623dde714ceebd72e3435b7e4dced7

    SHA512

    95140ffe40d586a286fdcf8bc92072abe0017b2ab04634d2f50693e8403335f0e5799670537451342f35932da585fbc940fa20c1b4f2f06e6ac45236a2c49a55

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.