Analysis
-
max time kernel
71s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 13:23 UTC
Static task
static1
General
-
Target
123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe
-
Size
96KB
-
MD5
f52b87b3a347a98aaa214c53bbf3e320
-
SHA1
88f7e62d9b4acbb8b1a34c6c91929f4565797b4e
-
SHA256
123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0
-
SHA512
75b896379303f12c88f3b7097356df19662898761803d1cac699491a357f3bf3bdcc2487e187335983ef6c464f5eeb8e0aec47d4c866ae04246ccde05731bcf1
-
SSDEEP
1536:4nAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxT:4Gs8cd8eXlYairZYqMddH13T
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 2 IoCs
pid Process 2380 omsecor.exe 2536 omsecor.exe -
Loads dropped DLL 3 IoCs
pid Process 1800 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 1800 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 2380 omsecor.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2516 set thread context of 1800 2516 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2380 set thread context of 2536 2380 omsecor.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2628 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2628 taskmgr.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe -
Suspicious use of SendNotifyMessage 23 IoCs
pid Process 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1800 2516 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2516 wrote to memory of 1800 2516 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2516 wrote to memory of 1800 2516 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2516 wrote to memory of 1800 2516 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2516 wrote to memory of 1800 2516 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 2516 wrote to memory of 1800 2516 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 30 PID 1800 wrote to memory of 2380 1800 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 31 PID 1800 wrote to memory of 2380 1800 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 31 PID 1800 wrote to memory of 2380 1800 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 31 PID 1800 wrote to memory of 2380 1800 123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe 31 PID 2380 wrote to memory of 2536 2380 omsecor.exe 32 PID 2380 wrote to memory of 2536 2380 omsecor.exe 32 PID 2380 wrote to memory of 2536 2380 omsecor.exe 32 PID 2380 wrote to memory of 2536 2380 omsecor.exe 32 PID 2380 wrote to memory of 2536 2380 omsecor.exe 32 PID 2380 wrote to memory of 2536 2380 omsecor.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exeC:\Users\Admin\AppData\Local\Temp\123b4f82e6e08a3ab96750b8d244d25a3247164067f4ebb2dd9eb11e3b90d6f0.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2536
-
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2188
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:193.166.255.171:80RequestGET /226/147.html HTTP/1.1
From: 133819394334184000
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<.0b]_d]74].b,2a-/a44/\a01`a+.2a4
Host: lousta.net
Connection: Keep-Alive
-
Remote address:193.166.255.171:80RequestGET /804/713.html HTTP/1.1
From: 133819394334184000
Via: bjledplYpdq;6+3]^mc`;4Yn`m_l8//+./.0]jq<1/0,\j`w<.0b]_d]74].b,2a-/a44/\a01`a+.2a4
Host: lousta.net
Connection: Keep-Alive
-
416 B 132 B 5 3
HTTP Request
GET http://lousta.net/226/147.html -
412 B 128 B 5 3
HTTP Request
GET http://lousta.net/804/713.html
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD53ed580a195e52b712ad98701276f22d8
SHA1fdba91bb0cdfcd6f2f65fb551baa744d98b634c6
SHA2568e4775af7a2110c3eb14285f90948e6933d1d9625c8391b76df32faea4436682
SHA512acc842831c96d1ccc40691b02154a7575c5ffbcf95bcb0970cbc8e9367b8de7798ec19d9a8564c344de7566bd8a548022c3c1d787be0915a5498023ac7b7c8ae