Analysis
-
max time kernel
114s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 13:29 UTC
Behavioral task
behavioral1
Sample
0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639N.exe
Resource
win7-20240903-en
General
-
Target
0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639N.exe
-
Size
80KB
-
MD5
be9b73a0ecea7c7c16e179b5f7abba60
-
SHA1
3e76d0ec8ff03bfcba85733b1a8c32834bf5a7c0
-
SHA256
0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639
-
SHA512
938d9f6542d590e391972a4488589c05e0b5f8916225015d2f857610fdfc94854960b4e5dcd19208781226190d83ae19e7dded4ad5055c47b1c1ec5b22457dde
-
SSDEEP
768:sfMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAK:sfbIvYvZEyFKF6N4yS+AQmZTl/5S
Malware Config
Extracted
neconyd
http://ow5dirasuek.com/
http://mkkuei4kdsz.com/
http://lousta.net/
Signatures
-
Neconyd family
-
Executes dropped EXE 3 IoCs
pid Process 552 omsecor.exe 4068 omsecor.exe 3764 omsecor.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\omsecor.exe omsecor.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omsecor.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4592 wrote to memory of 552 4592 0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639N.exe 82 PID 4592 wrote to memory of 552 4592 0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639N.exe 82 PID 4592 wrote to memory of 552 4592 0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639N.exe 82 PID 552 wrote to memory of 4068 552 omsecor.exe 92 PID 552 wrote to memory of 4068 552 omsecor.exe 92 PID 552 wrote to memory of 4068 552 omsecor.exe 92 PID 4068 wrote to memory of 3764 4068 omsecor.exe 93 PID 4068 wrote to memory of 3764 4068 omsecor.exe 93 PID 4068 wrote to memory of 3764 4068 omsecor.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639N.exe"C:\Users\Admin\AppData\Local\Temp\0a62e2fbb1d9c3fcdb07af63912c3915fd2742b011b9a4d23e53fff561342639N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\omsecor.exeC:\Windows\System32\omsecor.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Roaming\omsecor.exeC:\Users\Admin\AppData\Roaming\omsecor.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3764
-
-
-
Network
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request159.96.196.23.in-addr.arpaIN PTRResponse159.96.196.23.in-addr.arpaIN PTRa23-196-96-159deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTRResponse107.12.20.2.in-addr.arpaIN PTRa2-20-12-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestmkkuei4kdsz.comIN AResponsemkkuei4kdsz.comIN A3.33.243.145mkkuei4kdsz.comIN A15.197.204.56
-
Remote address:3.33.243.145:80RequestGET /900/518.html HTTP/1.1
From: 133820261714793501
Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>5dc0e7bfb^3:.1f60g/b3c6318e34gaf
Host: mkkuei4kdsz.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
date: Wed, 22 Jan 2025 13:30:35 GMT
content-length: 114
-
Remote address:8.8.8.8:53Request145.243.33.3.in-addr.arpaIN PTRResponse145.243.33.3.in-addr.arpaIN PTRa3edc0dabdef92d6dawsglobalacceleratorcom
-
Remote address:8.8.8.8:53Requestow5dirasuek.comIN AResponseow5dirasuek.comIN A52.34.198.229
-
Remote address:52.34.198.229:80RequestGET /552/533.html HTTP/1.1
From: 133820261714793501
Via: dlngfrn[rfs=8-5_`oeb=6[pboan:11-0102_ls>321.^lby>5dc0e7bfb^3:.1f60g/b3c6318e34gaf
Host: ow5dirasuek.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 22 Jan 2025 13:30:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=76ce58f8c425dfc80f520eebbadec731|181.215.176.83|1737552645|1737552645|0|1|0; path=/; domain=.ow5dirasuek.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=181.215.176.83; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Request229.198.34.52.in-addr.arpaIN PTRResponse229.198.34.52.in-addr.arpaIN PTRec2-52-34-198-229 us-west-2compute amazonawscom
-
Remote address:8.8.8.8:53Requestlousta.netIN AResponselousta.netIN A193.166.255.171
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
467 B 388 B 6 4
HTTP Request
GET http://mkkuei4kdsz.com/900/518.htmlHTTP Response
200 -
467 B 631 B 6 5
HTTP Request
GET http://ow5dirasuek.com/552/533.htmlHTTP Response
200 -
260 B 5
-
156 B 3
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
159.96.196.23.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
107.12.20.2.in-addr.arpa
-
61 B 93 B 1 1
DNS Request
mkkuei4kdsz.com
DNS Response
3.33.243.14515.197.204.56
-
71 B 127 B 1 1
DNS Request
145.243.33.3.in-addr.arpa
-
61 B 77 B 1 1
DNS Request
ow5dirasuek.com
DNS Response
52.34.198.229
-
72 B 135 B 1 1
DNS Request
229.198.34.52.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
lousta.net
DNS Response
193.166.255.171
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5727d44570b0d20cfa1249955dfef9811
SHA19afb64fc5bf9155d5e8e3c816e855836ea74ec0d
SHA25618fc02d510b75fad6a299965c81a8f2ab56bcb752d3e0d71b6a1d2477ecd14cd
SHA512b2c76e20989ee9b12c77c51b8924be2846ae6fc9d5574ee94f286c0e2c5ff8c328f737a8c72b4ed9990dd59e83d2941b26f5d64a130576c381367264d897e2cb
-
Filesize
80KB
MD5a58284942121fb4fd3e535c4d24af7e9
SHA11eecaf4e76133ad3ee3917343dc89d07adcc9df6
SHA256425e9f2e72d1b2aee6cd77fdcc35cada58b9e75e584fbd2ce416af2ad0f9e6d2
SHA5123a49111c0373e4091601530f5af78e0a30d9f72d3075e497818a89a5d40a84089ca552fd6592bb1143d847fa2c049f3e6fd4d5ff4cbf368e89fedcb604242a8a
-
Filesize
80KB
MD550d01f3265d3400884853fe169731681
SHA1ebbc3e4b74b1efb101ef502fb29f198749bafbd0
SHA256d01ad75b46fab8d67aa7858da6f74fa443ee357d94c39addd1bcf7676ea96e94
SHA512f1824f589293a14f026731245c86929e15d6c9a2181ba3ce37ca9c31ca50409bf37db640853475225f70d2d6662f6c38d660754548d93d6f50a483a4f5183869