Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 10:23 UTC

General

  • Target

    caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe

  • Size

    96KB

  • MD5

    708cabe5570c1688b17002a97837de90

  • SHA1

    eb4a4b14b32128274e404966763f7b49d24f6b4a

  • SHA256

    caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680

  • SHA512

    007241ba219fe352531d781c51599bf865087e1a83a84c731f7afced2136bc991522801132be724484a7eb6c044c90bbf1270d4b37241cb05e142a20a96678d6

  • SSDEEP

    1536:3nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxu:3Gs8cd8eXlYairZYqMddH13u

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe
    "C:\Users\Admin\AppData\Local\Temp\caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Users\Admin\AppData\Local\Temp\caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe
      C:\Users\Admin\AppData\Local\Temp\caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\SysWOW64\omsecor.exe
            C:\Windows\System32\omsecor.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1324
            • C:\Windows\SysWOW64\omsecor.exe
              C:\Windows\SysWOW64\omsecor.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1236
              • C:\Users\Admin\AppData\Roaming\omsecor.exe
                C:\Users\Admin\AppData\Roaming\omsecor.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1708
                • C:\Users\Admin\AppData\Roaming\omsecor.exe
                  C:\Users\Admin\AppData\Roaming\omsecor.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2436

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    3.33.243.145
    mkkuei4kdsz.com
    IN A
    15.197.204.56
  • flag-us
    GET
    http://mkkuei4kdsz.com/391/762.html
    omsecor.exe
    Remote address:
    3.33.243.145:80
    Request
    GET /391/762.html HTTP/1.1
    From: 133819285884732000
    Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?423/_mcz?196d64df549:74862dc:8b8d.2325e`c
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Tue, 21 Jan 2025 10:24:12 GMT
    content-length: 114
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/991/643.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /991/643.html HTTP/1.1
    From: 133819285884732000
    Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?423/_mcz?196d64df549:74862dc:8b8d.2325e`c
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 21 Jan 2025 10:24:22 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=c89daa0174b4375d7f8d10c479408dbb|181.215.176.83|1737455062|1737455062|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 3.33.243.145:80
    http://mkkuei4kdsz.com/391/762.html
    http
    omsecor.exe
    473 B
    644 B
    6
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/391/762.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/991/643.html
    http
    omsecor.exe
    421 B
    623 B
    5
    5

    HTTP Request

    GET http://ow5dirasuek.com/991/643.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    152 B
    3
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    104 B
    2
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    3.33.243.145
    15.197.204.56

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    f5ee8d0e72495812d54b1fc77d1a379e

    SHA1

    3969628bbec63b9906d2a52dfde90cd9be09a840

    SHA256

    c783c1f1900f45f0db262b44e3fc4dfda92fa9bb65bdabdc6b0c5b9b8859ebb7

    SHA512

    26544adeef52ac77ae89567a1a2483eaf7cb7ffe748628ecda796cfa98f73eea90ab5487521a08932c9535f1030c334e0c3753d813dcc5bfdef44d4798d79b7c

  • \Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    96KB

    MD5

    e213813fb1b755d053e95d2277f40603

    SHA1

    e36c2a2b91c40ee10e8a7478dca5fe2fd7ae7547

    SHA256

    fcc7cc8abd01284ca2aa06e67f38b4532efc0c208d2fef0a6297acea92dfe54a

    SHA512

    dc657ceb009b2f10b8c0fe1e333b980493f964f0ac08e1d286211c0b9ae09d81a7efebf4cdab14b9e1e35fb55ac5b810fce7e7a910522de29c6e2bcc74400799

  • \Windows\SysWOW64\omsecor.exe

    Filesize

    96KB

    MD5

    7fb604aa3b2691b5341df72cf7e6ee13

    SHA1

    99b436c3e6cbeec1ef7bb075591c903a1666ba50

    SHA256

    a495755b32731ab7bd275850c4f0b4fbfd444c9b457990f3fa7b84cf5ec9c4ed

    SHA512

    a8163bedec875319f80db0d620c02f19e67f60f8b44ac5b0fb1b2a071bb614a7fd08bfffa06e7118dd7aa942064c80a2600beec46734620282a5212388f3f16c

  • memory/1236-72-0x00000000001C0000-0x00000000001E3000-memory.dmp

    Filesize

    140KB

  • memory/1324-66-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1708-87-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2396-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2396-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2396-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2396-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2396-6-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2420-22-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2420-25-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

  • memory/2420-33-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2436-89-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2744-36-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2744-45-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2744-48-0x00000000003B0000-0x00000000003D3000-memory.dmp

    Filesize

    140KB

  • memory/2744-54-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2744-57-0x00000000003B0000-0x00000000003D3000-memory.dmp

    Filesize

    140KB

  • memory/2744-42-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2744-39-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2892-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2892-9-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2892-2-0x00000000001C0000-0x00000000001E3000-memory.dmp

    Filesize

    140KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.