Analysis

  • max time kernel
    116s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 01:22 UTC

General

  • Target

    123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe

  • Size

    96KB

  • MD5

    f52b87b3a347a98aaa214c53bbf3e320

  • SHA1

    88f7e62d9b4acbb8b1a34c6c91929f4565797b4e

  • SHA256

    123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0

  • SHA512

    75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1

  • SSDEEP

    1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
    "C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
      C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2332
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2416
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:632
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1920

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/350/343.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /350/343.html HTTP/1.1
    From: 133818961790942000
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<a6c211`4e-5a024^`c32214c,51.a6_3
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 21 Jan 2025 01:24:03 GMT
    content-length: 114
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/103/879.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /103/879.html HTTP/1.1
    From: 133818961790942000
    Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<a6c211`4e-5a024^`c32214c,51.a6_3
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 21 Jan 2025 01:24:14 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=fee440354cf4f59e094e29aff54703d4|181.215.176.83|1737422654|1737422654|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/350/343.html
    http
    omsecor.exe
    473 B
    644 B
    6
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/350/343.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/103/879.html
    http
    omsecor.exe
    421 B
    631 B
    5
    5

    HTTP Request

    GET http://ow5dirasuek.com/103/879.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    104 B
    2
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    3ed580a195e52b712ad98701276f22d8

    SHA1

    fdba91bb0cdfcd6f2f65fb551baa744d98b634c6

    SHA256

    8e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682

    SHA512

    acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    216085c311aace2d5b61509caee07b20

    SHA1

    e52e1a728dc947009203814712f92258fc09886d

    SHA256

    31acc51124c3a0e20b3506ad24075b2efd154e170658a0c28eb8c2acd9103b08

    SHA512

    7d77a9128bd15eeb229362f75640cad0a37eae6de2db60982b21962639435f96b5d23306f2c26137b1d1d14105ac1a90d35a8cd8b8bdd88cba7bfb2cc566e813

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    2d707eb52b14e5aa26575790a3dfe3a4

    SHA1

    2331803e9930f0ffc6d73f85013c6536552d0cec

    SHA256

    983874cb880cca33b5b81bf8945f0585b7e2b1d83c3b0647b59466123155b4a0

    SHA512

    35543a91dd455b9eefe50f82a6683278cd6b0b848f707c11ff0ba25e73d168eb2b5121c2e320393eadca3b9ac01fd1263001a4ace687bee0ee5cfe514223bb16

  • memory/632-88-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/632-81-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1920-91-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2072-24-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2072-32-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2332-38-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2332-54-0x00000000003A0000-0x00000000003C3000-memory.dmp

    Filesize

    140KB

  • memory/2332-57-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2332-35-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2332-48-0x00000000003A0000-0x00000000003C3000-memory.dmp

    Filesize

    140KB

  • memory/2332-41-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2332-44-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2416-73-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2688-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2688-66-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3004-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3004-8-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3008-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3008-20-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3008-13-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/3008-5-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3008-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3008-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.