Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 00:06 UTC
Behavioral task
behavioral1
Sample
5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe
Resource
win7-20241010-en
General
-
Target
5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe
-
Size
76KB
-
MD5
e625719f383b6b647d52a79ca97e1340
-
SHA1
c880a72b4edb2318640e08bc3c5d94ce2279280f
-
SHA256
5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02
-
SHA512
f4e9a93ea055a58973e8adab385e2a01565206bfb657c4dcc36aff8341da27354df94a4bc95f257c988be0bd5cdd2ebf9bd41dc5d4baa92f77a9a5b1f97ecc78
-
SSDEEP
1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11b:XdseIOMEZEyFjEOFqaiQm5l/5w11b
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 1868 omsecor.exe 3576 omsecor.exe 4444 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4112 wrote to memory of 1868 4112 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 83 PID 4112 wrote to memory of 1868 4112 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 83 PID 4112 wrote to memory of 1868 4112 5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe 83 PID 1868 wrote to memory of 3576 1868 omsecor.exe 100 PID 1868 wrote to memory of 3576 1868 omsecor.exe 100 PID 1868 wrote to memory of 3576 1868 omsecor.exe 100 PID 3576 wrote to memory of 4444 3576 omsecor.exe 101 PID 3576 wrote to memory of 4444 3576 omsecor.exe 101 PID 3576 wrote to memory of 4444 3576 omsecor.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe"C:\Users\Admin\AppData\Local\Temp\5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request7.98.51.23.in-addr.arpaIN PTRResponse7.98.51.23.in-addr.arpaIN PTRa23-51-98-7deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request112.27.33.23.in-addr.arpaIN PTRResponse112.27.33.23.in-addr.arpaIN PTRa23-33-27-112deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A15.197.204.56mkkuei4kdsz.comIN A3.33.243.145
-
Remote address:15.197.204.56:80RequestGET /612/101.html HTTP/1.1
From: 133819779783911416
Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}Bg4fcf<1f69=6c48gjgd8ge6h1f>6g<59
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Wed, 22 Jan 2025 00:07:21 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.204.197.15.in-addr.arpaIN PTRResponse56.204.197.15.in-addr.arpaIN PTRa3edc0dabdef92d6dawsglobalacceleratorcom
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /369/385.html HTTP/1.1
From: 133819779783911416
Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}Bg4fcf<1f69=6c48gjgd8ge6h1f>6g<59
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 22 Jan 2025 00:07:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=003c9536db6237f967087d319ec60ee2|181.215.176.83|1737504452|1737504452|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request229.198.34.52.in-addr.arpaIN PTRResponse229.198.34.52.in-addr.arpaIN PTRec2-52-34-198-229 us-west-2compute amazonawscom
-
260 B 5
-
260 B 5
-
513 B 428 B 7 5
HTTP Request
GET http://mkkuei4kdsz.com/612/101.htmlHTTP Response
200 -
467 B 631 B 6 5
HTTP Request
GET http://ow5dirasuek.com/369/385.htmlHTTP Response
200 -
260 B 5
-
156 B 3
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
144 B 158 B 2 1
DNS Request
28.118.140.52.in-addr.arpa
DNS Request
28.118.140.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
73.159.190.20.in-addr.arpa
DNS Request
73.159.190.20.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
7.98.51.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
144 B 146 B 2 1
DNS Request
212.20.149.52.in-addr.arpa
DNS Request
212.20.149.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
112.27.33.23.in-addr.arpa
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
15.197.204.563.33.243.145
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
72 B 128 B 1 1
DNS Request
56.204.197.15.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
-
72 B 135 B 1 1
DNS Request
229.198.34.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5cde732ab955bce75b5c4e130f71dd2a0
SHA13f579f59ea9dc6ef347bc651eb7c2d69ef7579f6
SHA256a132a5537ddd4d38f221b54c6b58c513a1fd257f34c1bbf3df507e91157a5712
SHA512eaf858be85af2161185ca071efb0ae2a40b1574630f02c7d395bddb1b5b9a6ed39021d69a6471533e4907acd840cd1631dc114efcdbb6ab779f96b7906585f28
-
Filesize
76KB
MD57ee49d0d86e97854e51f91a421849168
SHA175b50ef899f91312cf359ec52ad3ba66a991019c
SHA2560f2741b54aad10152414c3fbd48175dfd77bedf269f6ced5c104f75b431ebc94
SHA512833c77342f6aa5b1d0bfdd2b9d7b2ab52c227c70fe8602081893a79aef61e4e6dfa36e10f8de3f3660cdf5da102df635357d21e8c2211a75f03ab9140472a6a1
-
Filesize
76KB
MD58e52a2a3945a522e2c92c84f697d1d79
SHA1ded43f2b2b727cc948bc7643afb02caef45a6311
SHA2566d6903a44a6aea25a276cf679d86f1814410f75b80af8b164dfb8a42810b2793
SHA512ab35876039bb148c47a0a5226ddf0b9b2e4f407ac611353efa754d4ac2e5976edcfce84df2e8cef61b73687a5ff1df0ced1f7d78f376f9c2137a17fc7f871342