Analysis
-
max time kernel
116s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 01:22 UTC
Static task
static1
Behavioral task
behavioral1
Sample
123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
Resource
win7-20241010-en
General
-
Target
123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
-
Size
96KB
-
MD5
f52b87b3a347a98aaa214c53bbf3e320
-
SHA1
88f7e62d9b4acbb8b1a34c6c91929f4565797b4e
-
SHA256
123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0
-
SHA512
75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2072 omsecor.exe 2332 omsecor.exe 2688 omsecor.exe 2416 omsecor.exe 632 omsecor.exe 1920 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 3008 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 3008 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 2072 omsecor.exe 2332 omsecor.exe 2332 omsecor.exe 2416 omsecor.exe 2416 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3004 set thread context of 3008 3004 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 29 PID 2072 set thread context of 2332 2072 omsecor.exe 31 PID 2688 set thread context of 2416 2688 omsecor.exe 34 PID 632 set thread context of 1920 632 omsecor.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3004 wrote to memory of 3008 3004 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 29 PID 3004 wrote to memory of 3008 3004 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 29 PID 3004 wrote to memory of 3008 3004 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 29 PID 3004 wrote to memory of 3008 3004 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 29 PID 3004 wrote to memory of 3008 3004 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 29 PID 3004 wrote to memory of 3008 3004 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 29 PID 3008 wrote to memory of 2072 3008 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 3008 wrote to memory of 2072 3008 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 3008 wrote to memory of 2072 3008 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 3008 wrote to memory of 2072 3008 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2072 wrote to memory of 2332 2072 omsecor.exe 31 PID 2072 wrote to memory of 2332 2072 omsecor.exe 31 PID 2072 wrote to memory of 2332 2072 omsecor.exe 31 PID 2072 wrote to memory of 2332 2072 omsecor.exe 31 PID 2072 wrote to memory of 2332 2072 omsecor.exe 31 PID 2072 wrote to memory of 2332 2072 omsecor.exe 31 PID 2332 wrote to memory of 2688 2332 omsecor.exe 33 PID 2332 wrote to memory of 2688 2332 omsecor.exe 33 PID 2332 wrote to memory of 2688 2332 omsecor.exe 33 PID 2332 wrote to memory of 2688 2332 omsecor.exe 33 PID 2688 wrote to memory of 2416 2688 omsecor.exe 34 PID 2688 wrote to memory of 2416 2688 omsecor.exe 34 PID 2688 wrote to memory of 2416 2688 omsecor.exe 34 PID 2688 wrote to memory of 2416 2688 omsecor.exe 34 PID 2688 wrote to memory of 2416 2688 omsecor.exe 34 PID 2688 wrote to memory of 2416 2688 omsecor.exe 34 PID 2416 wrote to memory of 632 2416 omsecor.exe 35 PID 2416 wrote to memory of 632 2416 omsecor.exe 35 PID 2416 wrote to memory of 632 2416 omsecor.exe 35 PID 2416 wrote to memory of 632 2416 omsecor.exe 35 PID 632 wrote to memory of 1920 632 omsecor.exe 36 PID 632 wrote to memory of 1920 632 omsecor.exe 36 PID 632 wrote to memory of 1920 632 omsecor.exe 36 PID 632 wrote to memory of 1920 632 omsecor.exe 36 PID 632 wrote to memory of 1920 632 omsecor.exe 36 PID 632 wrote to memory of 1920 632 omsecor.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exeC:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1920
-
-
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /350/343.html HTTP/1.1
From: 133818961790942000
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<a6c211`4e-5a024^`c32214c,51.a6_3
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Tue, 21 Jan 2025 01:24:03 GMT
content-length: 114
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /103/879.html HTTP/1.1
From: 133818961790942000
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<a6c211`4e-5a024^`c32214c,51.a6_3
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 21 Jan 2025 01:24:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=fee440354cf4f59e094e29aff54703d4|181.215.176.83|1737422654|1737422654|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
152 B 3
-
152 B 3
-
473 B 644 B 6 5
HTTP Request
GET http://mkkuei4kdsz.com/350/343.htmlHTTP Response
200 -
421 B 631 B 5 5
HTTP Request
GET http://ow5dirasuek.com/103/879.htmlHTTP Response
200 -
152 B 3
-
104 B 2
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD53ed580a195e52b712ad98701276f22d8
SHA1fdba91bb0cdfcd6f2f65fb551baa744d98b634c6
SHA2568e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682
SHA512acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae
-
Filesize
96KB
MD5216085c311aace2d5b61509caee07b20
SHA1e52e1a728dc947009203814712f92258fc09886d
SHA25631acc51124c3a0e20b3506ad24075b2efd154e170658a0c28eb8c2acd9103b08
SHA5127d77a9128bd15eeb229362f75640cad0a37eae6de2db60982b21962639435f96b5d23306f2c26137b1d1d14105ac1a90d35a8cd8b8bdd88cba7bfb2cc566e813
-
Filesize
96KB
MD52d707eb52b14e5aa26575790a3dfe3a4
SHA12331803e9930f0ffc6d73f85013c6536552d0cec
SHA256983874cb880cca33b5b81bf8945f0585b7e2b1d83c3b0647b59466123155b4a0
SHA51235543a91dd455b9eefe50f82a6683278cd6b0b848f707c11ff0ba25e73d168eb2b5121c2e320393eadca3b9ac01fd1263001a4ace687bee0ee5cfe514223bb16