Resubmissions

21/01/2025, 13:23 UTC

250121-qm6f9awmck 10

21/01/2025, 13:09 UTC

250121-qd933svrer 10

Analysis

  • max time kernel
    71s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2025, 13:23 UTC

General

  • Target

    123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe

  • Size

    96KB

  • MD5

    f52b87b3a347a98aaa214c53bbf3e320

  • SHA1

    88f7e62d9b4acbb8b1a34c6c91929f4565797b4e

  • SHA256

    123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0

  • SHA512

    75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1

  • SSDEEP

    1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
    "C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
      C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Users\Admin\AppData\Roaming\omsecor.exe
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2536
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2188
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2628

    Network

    • flag-us
      DNS
      lousta.net
      omsecor.exe
      Remote address:
      8.8.8.8:53
      Request
      lousta.net
      IN A
      Response
      lousta.net
      IN A
      193.166.255.171
    • flag-fi
      GET
      http://lousta.net/226/147.html
      omsecor.exe
      Remote address:
      193.166.255.171:80
      Request
      GET /226/147.html HTTP/1.1
      From: 133819394334184000
      Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<.0b]_d]74].b,2a-/a44/\a01`a+.2a4
      Host: lousta.net
      Connection: Keep-Alive
    • flag-fi
      GET
      http://lousta.net/804/713.html
      omsecor.exe
      Remote address:
      193.166.255.171:80
      Request
      GET /804/713.html HTTP/1.1
      From: 133819394334184000
      Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<.0b]_d]74].b,2a-/a44/\a01`a+.2a4
      Host: lousta.net
      Connection: Keep-Alive
    • 193.166.255.171:80
      http://lousta.net/226/147.html
      http
      omsecor.exe
      416 B
      132 B
      5
      3

      HTTP Request

      GET http://lousta.net/226/147.html
    • 193.166.255.171:80
      http://lousta.net/804/713.html
      http
      omsecor.exe
      412 B
      128 B
      5
      3

      HTTP Request

      GET http://lousta.net/804/713.html
    • 8.8.8.8:53
      lousta.net
      dns
      omsecor.exe
      56 B
      72 B
      1
      1

      DNS Request

      lousta.net

      DNS Response

      193.166.255.171

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\omsecor.exe

      Filesize

      96KB

      MD5

      3ed580a195e52b712ad98701276f22d8

      SHA1

      fdba91bb0cdfcd6f2f65fb551baa744d98b634c6

      SHA256

      8e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682

      SHA512

      acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae

    • memory/1800-2-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/1800-9-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/1800-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1800-11-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/1800-5-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/1800-14-0x0000000000240000-0x0000000000263000-memory.dmp

      Filesize

      140KB

    • memory/2380-31-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

    • memory/2516-7-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

    • memory/2516-0-0x0000000000400000-0x0000000000423000-memory.dmp

      Filesize

      140KB

    • memory/2536-34-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/2536-37-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/2628-40-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    • memory/2628-41-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.