Analysis

  • max time kernel
    114s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 20:14 UTC

General

  • Target

    ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe

  • Size

    80KB

  • MD5

    2280a07398f9229442d8919d4c3322d2

  • SHA1

    6b2168f604b5536f8a8b79c93edacf5fa5614d8d

  • SHA256

    ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8

  • SHA512

    f783a9234a6b9d461192e3843c1a803ecb68eb667ddf5b273d9bfc484290d895b828b228d39b59b07f92a4efac627fcc560183b2cbb3917ec37b193b64227c56

  • SSDEEP

    1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwz5:MdseIOMEZEyFjEOFqTiQmOl/5xPvwl

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe
    "C:\Users\Admin\AppData\Local\Temp\ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2100

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    85.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/73/298.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /73/298.html HTTP/1.1
    From: 133819366445602128
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<^122c`]1`4641/83/``a2+4e+573ab]5
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 21 Jan 2025 12:38:28 GMT
    content-length: 114
  • flag-us
    DNS
    145.243.33.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    145.243.33.3.in-addr.arpa
    IN PTR
    Response
    145.243.33.3.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/725/313.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /725/313.html HTTP/1.1
    From: 133819366445602128
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<^122c`]1`4641/83/``a2+4e+573ab]5
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 21 Jan 2025 12:38:38 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=a727fd2c47464d6c28bc1518b4253967|181.215.176.83|1737463118|1737463118|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    229.198.34.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.198.34.52.in-addr.arpa
    IN PTR
    Response
    229.198.34.52.in-addr.arpa
    IN PTR
    ec2-52-34-198-229 us-west-2compute amazonawscom
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/73/298.html
    http
    omsecor.exe
    466 B
    388 B
    6
    4

    HTTP Request

    GET http://mkkuei4kdsz.com/73/298.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/725/313.html
    http
    omsecor.exe
    467 B
    623 B
    6
    5

    HTTP Request

    GET http://ow5dirasuek.com/725/313.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    156 B
    3
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    85.49.80.91.in-addr.arpa
    dns
    70 B
    145 B
    1
    1

    DNS Request

    85.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    145.243.33.3.in-addr.arpa
    dns
    71 B
    127 B
    1
    1

    DNS Request

    145.243.33.3.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

  • 8.8.8.8:53
    229.198.34.52.in-addr.arpa
    dns
    72 B
    135 B
    1
    1

    DNS Request

    229.198.34.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    80KB

    MD5

    64efa7b9e6ff61e955ebd00c872a3584

    SHA1

    4735f167299693ba8e9f9d8bee780f69acbdeb8b

    SHA256

    7b5dc447e1273b6754678ed977fa3b5e5b96b5207da7df83ca2847bce9502ba8

    SHA512

    905dcfb5792212c1e6763cc43253cde8a2c9ac0e8ba733e8079663521d48fee3b4907812a6cf3596de36ae39c0edecfb2cefaa1af35ee6c222bb594e9cba360c

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    80KB

    MD5

    8985a3c9fbe20fd797ca56c493d1c263

    SHA1

    ad0251225017e8e562b8219462835b819ee489a8

    SHA256

    f0ee05631809635097730be3465cb2f3a1f2b5afeec073025e0ac56121c24dd6

    SHA512

    57b6930343bf13105dc30461edffdd94243c17d26a09442c6da55578ef564606425e94a202b7e57c50679803c7a1bc73f018a590d29c876e1fa01c136f5c24cf

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.