Analysis

  • max time kernel
    114s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 00:06 UTC

General

  • Target

    5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe

  • Size

    76KB

  • MD5

    e625719f383b6b647d52a79ca97e1340

  • SHA1

    c880a72b4edb2318640e08bc3c5d94ce2279280f

  • SHA256

    5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02

  • SHA512

    f4e9a93ea055a58973e8adab385e2a01565206bfb657c4dcc36aff8341da27354df94a4bc95f257c988be0bd5cdd2ebf9bd41dc5d4baa92f77a9a5b1f97ecc78

  • SSDEEP

    1536:fd9dseIOcE93bIvYvZEyF4EEOF6N4XS+AQmZTl/5w11b:XdseIOMEZEyFjEOFqaiQm5l/5w11b

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

  • Neconyd

    Neconyd is a trojan written in C++.

  • Neconyd family
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe
    "C:\Users\Admin\AppData\Local\Temp\5c726ef1537032b8e886b5481a80fab21f41f9b610d82e561853c85409b90e02.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\SysWOW64\omsecor.exe
        C:\Windows\System32\omsecor.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3576
        • C:\Users\Admin\AppData\Roaming\omsecor.exe
          C:\Users\Admin\AppData\Roaming\omsecor.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4444

Network

  • flag-us
    DNS
    lousta.net
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    lousta.net
    IN A
    Response
    lousta.net
    IN A
    193.166.255.171
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    7.98.51.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.51.23.in-addr.arpa
    IN PTR
    Response
    7.98.51.23.in-addr.arpa
    IN PTR
    a23-51-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    112.27.33.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    112.27.33.23.in-addr.arpa
    IN PTR
    Response
    112.27.33.23.in-addr.arpa
    IN PTR
    a23-33-27-112deploystaticakamaitechnologiescom
  • flag-us
    DNS
    mkkuei4kdsz.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    mkkuei4kdsz.com
    IN A
    Response
    mkkuei4kdsz.com
    IN A
    15.197.204.56
    mkkuei4kdsz.com
    IN A
    3.33.243.145
  • flag-us
    GET
    http://mkkuei4kdsz.com/612/101.html
    omsecor.exe
    Remote address:
    15.197.204.56:80
    Request
    GET /612/101.html HTTP/1.1
    From: 133819779783911416
    Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}Bg4fcf<1f69=6c48gjgd8ge6h1f>6g<59
    Host: mkkuei4kdsz.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Wed, 22 Jan 2025 00:07:21 GMT
    content-length: 114
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.204.197.15.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.204.197.15.in-addr.arpa
    IN PTR
    Response
    56.204.197.15.in-addr.arpa
    IN PTR
    a3edc0dabdef92d6dawsglobalacceleratorcom
  • flag-us
    DNS
    ow5dirasuek.com
    omsecor.exe
    Remote address:
    8.8.8.8:53
    Request
    ow5dirasuek.com
    IN A
    Response
    ow5dirasuek.com
    IN A
    52.34.198.229
  • flag-us
    GET
    http://ow5dirasuek.com/369/385.html
    omsecor.exe
    Remote address:
    52.34.198.229:80
    Request
    GET /369/385.html HTTP/1.1
    From: 133819779783911416
    Via: hprkjvr_vjwA<19cdsifA:_tfser>5514546cpwB7652bpf}Bg4fcf<1f69=6c48gjgd8ge6h1f>6g<59
    Host: ow5dirasuek.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Wed, 22 Jan 2025 00:07:32 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=003c9536db6237f967087d319ec60ee2|181.215.176.83|1737504452|1737504452|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    229.198.34.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    229.198.34.52.in-addr.arpa
    IN PTR
    Response
    229.198.34.52.in-addr.arpa
    IN PTR
    ec2-52-34-198-229 us-west-2compute amazonawscom
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 15.197.204.56:80
    http://mkkuei4kdsz.com/612/101.html
    http
    omsecor.exe
    513 B
    428 B
    7
    5

    HTTP Request

    GET http://mkkuei4kdsz.com/612/101.html

    HTTP Response

    200
  • 52.34.198.229:80
    http://ow5dirasuek.com/369/385.html
    http
    omsecor.exe
    467 B
    631 B
    6
    5

    HTTP Request

    GET http://ow5dirasuek.com/369/385.html

    HTTP Response

    200
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    260 B
    5
  • 193.166.255.171:80
    lousta.net
    omsecor.exe
    156 B
    3
  • 8.8.8.8:53
    lousta.net
    dns
    omsecor.exe
    56 B
    72 B
    1
    1

    DNS Request

    lousta.net

    DNS Response

    193.166.255.171

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    28.118.140.52.in-addr.arpa

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    73.159.190.20.in-addr.arpa

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    7.98.51.23.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    7.98.51.23.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    144 B
    146 B
    2
    1

    DNS Request

    212.20.149.52.in-addr.arpa

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    112.27.33.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    112.27.33.23.in-addr.arpa

  • 8.8.8.8:53
    mkkuei4kdsz.com
    dns
    omsecor.exe
    61 B
    93 B
    1
    1

    DNS Request

    mkkuei4kdsz.com

    DNS Response

    15.197.204.56
    3.33.243.145

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    56.204.197.15.in-addr.arpa
    dns
    72 B
    128 B
    1
    1

    DNS Request

    56.204.197.15.in-addr.arpa

  • 8.8.8.8:53
    ow5dirasuek.com
    dns
    omsecor.exe
    61 B
    77 B
    1
    1

    DNS Request

    ow5dirasuek.com

    DNS Response

    52.34.198.229

  • 8.8.8.8:53
    229.198.34.52.in-addr.arpa
    dns
    72 B
    135 B
    1
    1

    DNS Request

    229.198.34.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    cde732ab955bce75b5c4e130f71dd2a0

    SHA1

    3f579f59ea9dc6ef347bc651eb7c2d69ef7579f6

    SHA256

    a132a5537ddd4d38f221b54c6b58c513a1fd257f34c1bbf3df507e91157a5712

    SHA512

    eaf858be85af2161185ca071efb0ae2a40b1574630f02c7d395bddb1b5b9a6ed39021d69a6471533e4907acd840cd1631dc114efcdbb6ab779f96b7906585f28

  • C:\Users\Admin\AppData\Roaming\omsecor.exe

    Filesize

    76KB

    MD5

    7ee49d0d86e97854e51f91a421849168

    SHA1

    75b50ef899f91312cf359ec52ad3ba66a991019c

    SHA256

    0f2741b54aad10152414c3fbd48175dfd77bedf269f6ced5c104f75b431ebc94

    SHA512

    833c77342f6aa5b1d0bfdd2b9d7b2ab52c227c70fe8602081893a79aef61e4e6dfa36e10f8de3f3660cdf5da102df635357d21e8c2211a75f03ab9140472a6a1

  • C:\Windows\SysWOW64\omsecor.exe

    Filesize

    76KB

    MD5

    8e52a2a3945a522e2c92c84f697d1d79

    SHA1

    ded43f2b2b727cc948bc7643afb02caef45a6311

    SHA256

    6d6903a44a6aea25a276cf679d86f1814410f75b80af8b164dfb8a42810b2793

    SHA512

    ab35876039bb148c47a0a5226ddf0b9b2e4f407ac611353efa754d4ac2e5976edcfce84df2e8cef61b73687a5ff1df0ced1f7d78f376f9c2137a17fc7f871342

  • memory/1868-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1868-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1868-13-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3576-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3576-17-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4112-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4112-4-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4444-18-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4444-20-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.