Analysis Overview
SHA256
642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f
Threat Level: Known bad
The file 642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 22:34
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 22:34
Reported
2024-08-15 22:37
Platform
win7-20240708-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe
"C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 703edae68cfe269f1f88159a1654e06e |
| SHA1 | 9858a53d32a87097c674ae2e859133d80b0faa4d |
| SHA256 | 7b7a53cbbbab16a94293ad841f719b8179df4229abaaca03f517cd6286c0ac4b |
| SHA512 | af10a8a94c180980e8ba7f4525d19f4f406eaddc8617aa735deb7621e1d4397183d1054c25781c8fc64f0c12ccb3d3b78500cf2298cd80d7ea9a1d4e2a6e1e24 |
\Windows\SysWOW64\omsecor.exe
| MD5 | a987072e23614fa71cecaf4567dfdd3e |
| SHA1 | 10170cac5ed56149e9a1a17b4b141e75bb22afad |
| SHA256 | ed9340a0b9b1170be15148a3b64688f85e9e9fb978ce6eecd15218e1ae9043e8 |
| SHA512 | 1487f1cbd840c7c0ab8407fc32a652aa75a085421b9ee7b5cab63a8086ad2e0b8d3ebf5935fc8b270d434c45b1d1452b546294c8f9ee811d44b737f34ef1b99b |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f10b45a5c6cb6853157f5ed2d19a619a |
| SHA1 | 039629493974dbbf8fea6793156f34a3324e4c45 |
| SHA256 | 9acb59e9a1680ba4e0c0747ec7152934eb4aee77fbe998bee8128fc800926349 |
| SHA512 | 99fea7b5c5c748762d6530f10fd21c5e97f17522e2129ed84b5f1a0b9d0227e9193f4c658366f15fa0379ee3baa9235e2c87dd1391b1b0e12037188c5936218d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 22:34
Reported
2024-08-15 22:37
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 212 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 212 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 212 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4380 wrote to memory of 4552 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4380 wrote to memory of 4552 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4380 wrote to memory of 4552 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe
"C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 703edae68cfe269f1f88159a1654e06e |
| SHA1 | 9858a53d32a87097c674ae2e859133d80b0faa4d |
| SHA256 | 7b7a53cbbbab16a94293ad841f719b8179df4229abaaca03f517cd6286c0ac4b |
| SHA512 | af10a8a94c180980e8ba7f4525d19f4f406eaddc8617aa735deb7621e1d4397183d1054c25781c8fc64f0c12ccb3d3b78500cf2298cd80d7ea9a1d4e2a6e1e24 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 28b91801c0a83ba179484b68a51130ec |
| SHA1 | 2ec6da6bc03be1729406898ffa97ce9ca9169af6 |
| SHA256 | 09802344c1d57e98cbd66ca50440a1ce35ad31d48ebeb06e6bf219c6f1cb3303 |
| SHA512 | b8f6a8592d9301132b780dab8e5d068e3c7e0ec9b69b3660735f98fd12951a3196b2490f30eba814160781cdc79146e446587795bbef13f0e0286e65e3496476 |