Analysis Overview
SHA256
6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180
Threat Level: Known bad
The file 6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 22:51
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 22:51
Reported
2024-08-15 22:53
Platform
win7-20240705-en
Max time kernel
149s
Max time network
131s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe
"C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2348-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a2b4a322bc57c590c56a4cd09ed4c4b4 |
| SHA1 | af712caf7817eca258eac0742d8d19786f0d7a04 |
| SHA256 | dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc |
| SHA512 | 5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd |
memory/2196-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2348-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2196-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2196-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2196-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2196-23-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d3d933d5522db2197e9d43c1ddac126a |
| SHA1 | 3df9f95a01aaab85cb88d21fd03f7d58e300afb1 |
| SHA256 | ca0f34c55405e8366cf93ab54885b02c3dbd9101eaaf9706bc0447aa43d05692 |
| SHA512 | 1af87fa818af16d1a4aeb48e78fd07a7a5875e4a5cca6dc5c1458137ee4015c7538aed3ea6bbf5fa53b077889ec2a9698dc1a91b09f6b272e790df2ec4199318 |
memory/2196-26-0x0000000002230000-0x000000000225D000-memory.dmp
memory/1056-35-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2196-34-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e9b991373c0a89cb2d032b15d3d10925 |
| SHA1 | 3920c06af433271fb01a9e70b4a3bc56b30a70ea |
| SHA256 | ad517632bf93fbc068a8ae382570a8930a528b41ecfbb25d5e8490c74c2a227a |
| SHA512 | 47fe9b7856b284ec127b499d93bfcc29f85483be8c30a30b28304ed91330c1944bb549110cfb9072002a7743c6e3b1a9b11fc289a2cb846541babc1aaa7cb16f |
memory/1056-40-0x0000000000220000-0x000000000024D000-memory.dmp
memory/1056-48-0x0000000000220000-0x000000000024D000-memory.dmp
memory/1056-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1732-50-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1732-53-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 22:51
Reported
2024-08-15 22:54
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2688 wrote to memory of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2688 wrote to memory of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2688 wrote to memory of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1572 wrote to memory of 4064 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1572 wrote to memory of 4064 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1572 wrote to memory of 4064 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe
"C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/2688-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a2b4a322bc57c590c56a4cd09ed4c4b4 |
| SHA1 | af712caf7817eca258eac0742d8d19786f0d7a04 |
| SHA256 | dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc |
| SHA512 | 5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd |
memory/1572-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2688-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1572-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1572-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1572-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1572-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 204ac9ee48c24e463cd358baa30f8f10 |
| SHA1 | dc92d7f1052fdb23afe601d5427b334653ea18d9 |
| SHA256 | 8cfe1926299ed218e2ab2a23a7e6167bfdf685239224a0bf3a3008413181e42f |
| SHA512 | 882af13ea7891c9c0f13fcaaea6df9f5e2cae98acd2629f4d13aac023fe22982eaabab7b6f18ae240b3d5623c97ae68fda6d4f1e4d5aa05096ff3577a60aec7e |
memory/4064-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1572-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4064-24-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4064-27-0x0000000000400000-0x000000000042D000-memory.dmp