Analysis Overview
SHA256
8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200
Threat Level: Known bad
The file 8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Detects executables built or packed with MPress PE compressor
Detects executables built or packed with MPress PE compressor
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-15 23:56
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 23:56
Reported
2024-06-15 23:58
Platform
win7-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Neconyd
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2400 set thread context of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe | C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe |
| PID 2524 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1928 set thread context of 568 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1256 set thread context of 1564 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe
"C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe"
C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe
C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2400-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2512-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2400-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2512-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2512-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2512-9-0x0000000000400000-0x0000000000429000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d9e74407cc77b5a5489ad9633e6cd0d7 |
| SHA1 | 6536449e4b1b7f00247b16d7811db7bb320b9af8 |
| SHA256 | 8fe9aeab93aca788605360c4b6d84e3c75eb490c5cead7a17d18692fdbba5547 |
| SHA512 | 862c68156f94e87de1e622b89eda48f85c6c1e3ef2372560a4acfd5567c3a4840acd6312022b614be421bb8cddba0d5fb117d73b514806e5c161055c1aee16a8 |
memory/2524-21-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2524-30-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2512-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2680-34-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2680-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2680-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2680-41-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d9ff5152b061d119da6d9c551a2e1978 |
| SHA1 | 8bf1a47dd9157b2eb2edcb33a1cd0d78d90164f0 |
| SHA256 | 56986afafd968243664af8b4d0e8436c3fb8443ce60de0f9d36991fea8776ae4 |
| SHA512 | 6b367e22e502128cedf69f1146790aca8b7d9b5c6567522a92d02a7ce6e5375b9fc5491c03a65c44ee52d060293526beb552922c514f37f0e3a7b4d01cf15f39 |
memory/2680-45-0x0000000000390000-0x00000000003B3000-memory.dmp
memory/2680-53-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1928-64-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ce6b88c87dc4f06afe87a9446e947e09 |
| SHA1 | b14007522977ce0c9a134581bb0375df433a7c18 |
| SHA256 | fc636c242e3f72a7a40f50fd32eb31351dfab8ca4ba35ea9de12291aa77b1e0c |
| SHA512 | 8ef8c39732938b61a0313740edfaa66bccc36f26e8ec9373df395699f465f3e853fd536a96021536503379006a7fd374ccb22035a1388178bb1924e96ba3bd40 |
memory/1256-76-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1256-84-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1564-86-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1564-88-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1564-90-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 23:56
Reported
2024-06-15 23:58
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Neconyd
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1724 set thread context of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe | C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe |
| PID 2564 set thread context of 5108 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1712 set thread context of 2148 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1796 set thread context of 1124 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe
"C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe"
C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe
C:\Users\Admin\AppData\Local\Temp\8a4659864fbb90e82fe5ac08290842e1406aee82029d8167f9398bbda62f4200.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1724 -ip 1724
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 276
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1712 -ip 1712
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1796 -ip 1796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 23.53.113.159:80 | tcp | |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/1724-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2976-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2976-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2976-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2976-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2564-11-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d9e74407cc77b5a5489ad9633e6cd0d7 |
| SHA1 | 6536449e4b1b7f00247b16d7811db7bb320b9af8 |
| SHA256 | 8fe9aeab93aca788605360c4b6d84e3c75eb490c5cead7a17d18692fdbba5547 |
| SHA512 | 862c68156f94e87de1e622b89eda48f85c6c1e3ef2372560a4acfd5567c3a4840acd6312022b614be421bb8cddba0d5fb117d73b514806e5c161055c1aee16a8 |
memory/5108-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5108-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2564-18-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1724-19-0x0000000000400000-0x0000000000423000-memory.dmp
memory/5108-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5108-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5108-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5108-25-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 8404edcae37b6f5d17e21a7193f92fb4 |
| SHA1 | 75f09d5fcddfc1a4882f7bca1c31fa0b1975f825 |
| SHA256 | 96b49ebf63967fe60fb3aea8bec40755b76a1f1b63cfa9aeedcacf266a31547c |
| SHA512 | 85e2a3e7ab5db5d5886ebe214867acdda59839d25a873701fe3cf7e3a676cf8ba88fea2c44f40bb0e8ece31c429b722275bfba5663a73e838371ef01e8d12a02 |
memory/5108-28-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1712-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2148-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2148-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1796-42-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2148-41-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a804762f754699936c3bd31d2fee2916 |
| SHA1 | 739a35dff2c476f450027d02f269bc11ae46d830 |
| SHA256 | 770ff69e5b5b35ac478271dc776b763b8a12e6c88b4468d0e9fd6e26670587cd |
| SHA512 | ee5f59c89ff400302c53df453f0f9e6c5b5a1ab9ede9cde06919760a3a556cad5b60054d0504333b81f66b95c8c961054e8b99b85ca4d5c6f22914fc169469f2 |
memory/1124-47-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1124-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1796-50-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1124-51-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1124-53-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1124-55-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1124-57-0x0000000000400000-0x0000000000429000-memory.dmp