Analysis Overview
SHA256
6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24
Threat Level: Known bad
The file 6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 22:56
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 22:56
Reported
2024-08-15 22:58
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe
"C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2456-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2336-4-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ebf795563e53ec3972368d63b0629bf1 |
| SHA1 | 05b3873b2ddf14332d97a29b587f2120beadb54b |
| SHA256 | 54116586dc0e1932d87a8cf27dd3927ce6553f2074a1fe61524dfe8a764e2fa9 |
| SHA512 | ac911e86c918258cdda14fca80034c4eed57dc0b4d6c7c5da1ced1ab5aaf8a4761a3a1c4e56600f5309d3de4a0ca275ea26910816e2b6266c2b9adceea73cab0 |
memory/2456-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2336-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f0818d4bcaed2d8990a4e6e67f31fb51 |
| SHA1 | 70486e3515b585b8a1b740a3396ea573293735e0 |
| SHA256 | 8947a46bb645a5107d1ad000ecb1b2ee3a46b0f2e314ab8ac9a5d9da10484328 |
| SHA512 | d6b7e93f780033e32f72b95ecb674231518bf461569800fe5cb144374b9424f179e4e410e447c5b2f3eb4e1077d19dbefeadd9471cdaa59cb3383c365c67468a |
memory/2456-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2336-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3812-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2456-17-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b966eb4f311787cb5d25e5173ded39d1 |
| SHA1 | 848ee7787de7b09730116795b88b944805e7b513 |
| SHA256 | b9cf03d27c4ef89dc6ad2772d37c79f654718b7e99faa7f74bdae73be6da5f9d |
| SHA512 | 623112b9ae81012710cb74c827b7414fa459026ee83fc02a20618d393536a7bc99e55ca0705e646d025abe169cb063a3b94ac4660578655cfe003ed04b228bae |
memory/3812-20-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 22:56
Reported
2024-08-15 22:59
Platform
win7-20240704-en
Max time kernel
121s
Max time network
138s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe
"C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2348-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ebf795563e53ec3972368d63b0629bf1 |
| SHA1 | 05b3873b2ddf14332d97a29b587f2120beadb54b |
| SHA256 | 54116586dc0e1932d87a8cf27dd3927ce6553f2074a1fe61524dfe8a764e2fa9 |
| SHA512 | ac911e86c918258cdda14fca80034c4eed57dc0b4d6c7c5da1ced1ab5aaf8a4761a3a1c4e56600f5309d3de4a0ca275ea26910816e2b6266c2b9adceea73cab0 |
memory/2328-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2348-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2328-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 47ec5b8076a04687a4bab57b5b27aa70 |
| SHA1 | 79efcff01f2e7099d1651ce169c1bc0bcf3367a2 |
| SHA256 | b371c07aa84bad4a9953d9f8c6c841959a8e299b19a87a006bca1c4a119e1fb6 |
| SHA512 | fc115c1674165851e4a6d70866708027c521c1782fb1a2d7874117e0e1753b54bc922acf026714909926b3e9bffa40a84f5b705fcaaf6c25c84bf37fb977d471 |
memory/2328-18-0x00000000002C0000-0x00000000002EB000-memory.dmp
memory/2328-24-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 196e9a79ada7f5af68fccb05b4685a3d |
| SHA1 | 0976d7c9162f072507365bee48c2ac50e8ce0e3c |
| SHA256 | 07ba9a15c92ddfbb63528a20a893f9b716640c1133c4fa6cc8ebeadc44cd76dd |
| SHA512 | 80b856d803555e8494c1efda746f1c0a60c0943966dba49e503159cc182dbd552684d8ebad6c1dd803539677e72e3951a9fb118d9849a45fd5e96d14fa470520 |
memory/2948-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2076-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2328-37-0x00000000002C0000-0x00000000002EB000-memory.dmp
memory/2948-38-0x0000000000400000-0x000000000042B000-memory.dmp