Analysis
-
max time kernel
114s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 20:14 UTC
Behavioral task
behavioral1
Sample
ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe
Resource
win7-20241010-en
General
-
Target
ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe
-
Size
80KB
-
MD5
2280a07398f9229442d8919d4c3322d2
-
SHA1
6b2168f604b5536f8a8b79c93edacf5fa5614d8d
-
SHA256
ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8
-
SHA512
f783a9234a6b9d461192e3843c1a803ecb68eb667ddf5b273d9bfc484290d895b828b228d39b59b07f92a4efac627fcc560183b2cbb3917ec37b193b64227c56
-
SSDEEP
1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9Xwz5:MdseIOMEZEyFjEOFqTiQmOl/5xPvwl
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 1260 omsecor.exe 2100 omsecor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe File opened for modification C:\Windows\SysWOW64\merocz.xc6 omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3196 wrote to memory of 1260 3196 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 83 PID 3196 wrote to memory of 1260 3196 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 83 PID 3196 wrote to memory of 1260 3196 ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe 83 PID 1260 wrote to memory of 2100 1260 omsecor.exe 101 PID 1260 wrote to memory of 2100 1260 omsecor.exe 101 PID 1260 wrote to memory of 2100 1260 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe"C:\Users\Admin\AppData\Local\Temp\ade1d2d53b8542d73d4b71adc453a68db4f8f05c09f87eaaa2b7b7004811a7f8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2100
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request85.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /73/298.html HTTP/1.1
From: 133819366445602128
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<^122c`]1`4641/83/``a2+4e+573ab]5
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Tue, 21 Jan 2025 12:38:28 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request145.243.33.3.in-addr.arpaIN PTRResponse145.243.33.3.in-addr.arpaIN PTRa3edc0dabdef92d6dawsglobalacceleratorcom
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /725/313.html HTTP/1.1
From: 133819366445602128
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<10/,\j`w<^122c`]1`4641/83/``a2+4e+573ab]5
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 21 Jan 2025 12:38:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=a727fd2c47464d6c28bc1518b4253967|181.215.176.83|1737463118|1737463118|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request229.198.34.52.in-addr.arpaIN PTRResponse229.198.34.52.in-addr.arpaIN PTRec2-52-34-198-229 us-west-2compute amazonawscom
-
260 B 5
-
260 B 5
-
466 B 388 B 6 4
HTTP Request
GET http://mkkuei4kdsz.com/73/298.htmlHTTP Response
200 -
467 B 623 B 6 5
HTTP Request
GET http://ow5dirasuek.com/725/313.htmlHTTP Response
200 -
260 B 5
-
156 B 3
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
22.49.80.91.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
85.49.80.91.in-addr.arpa
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
71 B 127 B 1 1
DNS Request
145.243.33.3.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
-
72 B 135 B 1 1
DNS Request
229.198.34.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD564efa7b9e6ff61e955ebd00c872a3584
SHA14735f167299693ba8e9f9d8bee780f69acbdeb8b
SHA2567b5dc447e1273b6754678ed977fa3b5e5b96b5207da7df83ca2847bce9502ba8
SHA512905dcfb5792212c1e6763cc43253cde8a2c9ac0e8ba733e8079663521d48fee3b4907812a6cf3596de36ae39c0edecfb2cefaa1af35ee6c222bb594e9cba360c
-
Filesize
80KB
MD58985a3c9fbe20fd797ca56c493d1c263
SHA1ad0251225017e8e562b8219462835b819ee489a8
SHA256f0ee05631809635097730be3465cb2f3a1f2b5afeec073025e0ac56121c24dd6
SHA51257b6930343bf13105dc30461edffdd94243c17d26a09442c6da55578ef564606425e94a202b7e57c50679803c7a1bc73f018a590d29c876e1fa01c136f5c24cf