Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 10:23 UTC
Static task
static1
Behavioral task
behavioral1
Sample
caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe
Resource
win7-20240729-en
General
-
Target
caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe
-
Size
96KB
-
MD5
708cabe5570c1688b17002a97837de90
-
SHA1
eb4a4b14b32128274e404966763f7b49d24f6b4a
-
SHA256
caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680
-
SHA512
007241ba219fe352531d781c51599bf865087e1a83a84c731f7afced2136bc991522801132be724484a7eb6c044c90bbf1270d4b37241cb05e142a20a96678d6
-
SSDEEP
1536:3nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxu:3Gs8cd8eXlYairZYqMddH13u
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 6 IoCs
pid Process 2420 omsecor.exe 2744 omsecor.exe 1324 omsecor.exe 1236 omsecor.exe 1708 omsecor.exe 2436 omsecor.exe -
Loads dropped DLL 7 IoCs
pid Process 2396 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 2396 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 2420 omsecor.exe 2744 omsecor.exe 2744 omsecor.exe 1236 omsecor.exe 1236 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2892 set thread context of 2396 2892 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 30 PID 2420 set thread context of 2744 2420 omsecor.exe 32 PID 1324 set thread context of 1236 1324 omsecor.exe 36 PID 1708 set thread context of 2436 1708 omsecor.exe 38 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2396 2892 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 30 PID 2892 wrote to memory of 2396 2892 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 30 PID 2892 wrote to memory of 2396 2892 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 30 PID 2892 wrote to memory of 2396 2892 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 30 PID 2892 wrote to memory of 2396 2892 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 30 PID 2892 wrote to memory of 2396 2892 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 30 PID 2396 wrote to memory of 2420 2396 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 31 PID 2396 wrote to memory of 2420 2396 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 31 PID 2396 wrote to memory of 2420 2396 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 31 PID 2396 wrote to memory of 2420 2396 caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe 31 PID 2420 wrote to memory of 2744 2420 omsecor.exe 32 PID 2420 wrote to memory of 2744 2420 omsecor.exe 32 PID 2420 wrote to memory of 2744 2420 omsecor.exe 32 PID 2420 wrote to memory of 2744 2420 omsecor.exe 32 PID 2420 wrote to memory of 2744 2420 omsecor.exe 32 PID 2420 wrote to memory of 2744 2420 omsecor.exe 32 PID 2744 wrote to memory of 1324 2744 omsecor.exe 35 PID 2744 wrote to memory of 1324 2744 omsecor.exe 35 PID 2744 wrote to memory of 1324 2744 omsecor.exe 35 PID 2744 wrote to memory of 1324 2744 omsecor.exe 35 PID 1324 wrote to memory of 1236 1324 omsecor.exe 36 PID 1324 wrote to memory of 1236 1324 omsecor.exe 36 PID 1324 wrote to memory of 1236 1324 omsecor.exe 36 PID 1324 wrote to memory of 1236 1324 omsecor.exe 36 PID 1324 wrote to memory of 1236 1324 omsecor.exe 36 PID 1324 wrote to memory of 1236 1324 omsecor.exe 36 PID 1236 wrote to memory of 1708 1236 omsecor.exe 37 PID 1236 wrote to memory of 1708 1236 omsecor.exe 37 PID 1236 wrote to memory of 1708 1236 omsecor.exe 37 PID 1236 wrote to memory of 1708 1236 omsecor.exe 37 PID 1708 wrote to memory of 2436 1708 omsecor.exe 38 PID 1708 wrote to memory of 2436 1708 omsecor.exe 38 PID 1708 wrote to memory of 2436 1708 omsecor.exe 38 PID 1708 wrote to memory of 2436 1708 omsecor.exe 38 PID 1708 wrote to memory of 2436 1708 omsecor.exe 38 PID 1708 wrote to memory of 2436 1708 omsecor.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe"C:\Users\Admin\AppData\Local\Temp\caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exeC:\Users\Admin\AppData\Local\Temp\caa395205da0af9e4626100ad4e6487cd545b013ca431286c4031083064f3680N.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\SysWOW64\omsecor.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436
-
-
-
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /391/762.html HTTP/1.1
From: 133819285884732000
Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?423/_mcz?196d64df549:74862dc:8b8d.2325e`c
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Tue, 21 Jan 2025 10:24:12 GMT
content-length: 114
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /991/643.html HTTP/1.1
From: 133819285884732000
Via: emohgso\sgt>9.6`apfc>7\qcpbo;22.1213`mt?423/_mcz?196d64df549:74862dc:8b8d.2325e`c
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 21 Jan 2025 10:24:22 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=c89daa0174b4375d7f8d10c479408dbb|181.215.176.83|1737455062|1737455062|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
152 B 3
-
152 B 3
-
473 B 644 B 6 5
HTTP Request
GET http://mkkuei4kdsz.com/391/762.htmlHTTP Response
200 -
421 B 623 B 5 5
HTTP Request
GET http://ow5dirasuek.com/991/643.htmlHTTP Response
200 -
152 B 3
-
104 B 2
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5f5ee8d0e72495812d54b1fc77d1a379e
SHA13969628bbec63b9906d2a52dfde90cd9be09a840
SHA256c783c1f1900f45f0db262b44e3fc4dfda92fa9bb65bdabdc6b0c5b9b8859ebb7
SHA51226544adeef52ac77ae89567a1a2483eaf7cb7ffe748628ecda796cfa98f73eea90ab5487521a08932c9535f1030c334e0c3753d813dcc5bfdef44d4798d79b7c
-
Filesize
96KB
MD5e213813fb1b755d053e95d2277f40603
SHA1e36c2a2b91c40ee10e8a7478dca5fe2fd7ae7547
SHA256fcc7cc8abd01284ca2aa06e67f38b4532efc0c208d2fef0a6297acea92dfe54a
SHA512dc657ceb009b2f10b8c0fe1e333b980493f964f0ac08e1d286211c0b9ae09d81a7efebf4cdab14b9e1e35fb55ac5b810fce7e7a910522de29c6e2bcc74400799
-
Filesize
96KB
MD57fb604aa3b2691b5341df72cf7e6ee13
SHA199b436c3e6cbeec1ef7bb075591c903a1666ba50
SHA256a495755b32731ab7bd275850c4f0b4fbfd444c9b457990f3fa7b84cf5ec9c4ed
SHA512a8163bedec875319f80db0d620c02f19e67f60f8b44ac5b0fb1b2a071bb614a7fd08bfffa06e7118dd7aa942064c80a2600beec46734620282a5212388f3f16c