Analysis Overview
SHA256
7d5116bdfc048b09eb93ae8f8007040e1ec6ad7494cfedf92dec95380bdb0bb6
Threat Level: Known bad
The file fcdb67092c592bf0d242a5f106ec90a0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:20
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:20
Reported
2024-08-15 10:22
Platform
win7-20240705-en
Max time kernel
115s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe
"C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2764-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8264c9fc3dc926ca9a2e8da4bc604fe9 |
| SHA1 | 1b83c0973dd45683dcf81c1758e9e21c19aae08a |
| SHA256 | 4c9f9e17c5fd21fa4f1f514b0029a79c1f98494b322298a6149e4dd9ac82ccbe |
| SHA512 | 09731fcde524b008732a1efdf7d3d41062fb3868c128c75c49f3cb152da9d0764d7e5294b83ed3238a7607361383af972c9813e3320a43dd8e3f9a00375c3f09 |
memory/2808-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2764-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2808-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2808-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2808-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2808-23-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | e23cb486868d8bbc59bbcdb954a1cfa1 |
| SHA1 | 0148f6c154b69285b77bf5b003bea33636d4190e |
| SHA256 | 61e8caf3061a2316ecd2a63e3e85bd8a665cb3c3c228bd7dfe065069d752b762 |
| SHA512 | 4e2b8365da8697dae892aeba0c59b28b83d6fa18b7b4cc2a89d038ef0f1ffbaef48eb78c380d74e783d876729cb3457fd8225505c35152e65b572893e9c06407 |
memory/2808-26-0x0000000000330000-0x000000000035D000-memory.dmp
memory/1300-37-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1300-40-0x0000000000220000-0x000000000024D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b6c1723c1ef548c9512abda6a455fd54 |
| SHA1 | e2e4c8a7ca66505927f7c1741fe288f826a4e538 |
| SHA256 | 55620dc3422588316d05aee2ebdff07efbcc26400d6b036bd9d57e95eb698597 |
| SHA512 | ea8311f3cf384135c0ab2e3da93f7e59e5151ca8cc36e7813b8f1a8736e904a004fba0938f75a2145884c8aa31d7178c9ddcc8fa3e33ced828febdfe48d26fec |
memory/2808-34-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2428-48-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1300-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2428-50-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:20
Reported
2024-08-15 10:22
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
121s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe
"C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4500-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8264c9fc3dc926ca9a2e8da4bc604fe9 |
| SHA1 | 1b83c0973dd45683dcf81c1758e9e21c19aae08a |
| SHA256 | 4c9f9e17c5fd21fa4f1f514b0029a79c1f98494b322298a6149e4dd9ac82ccbe |
| SHA512 | 09731fcde524b008732a1efdf7d3d41062fb3868c128c75c49f3cb152da9d0764d7e5294b83ed3238a7607361383af972c9813e3320a43dd8e3f9a00375c3f09 |
memory/4928-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4500-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4928-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4928-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4928-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4928-14-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ffe24bf3a2394d0dbdb3a6bc762b14ee |
| SHA1 | 2497e1d0985f037677a73572e527ec222b083182 |
| SHA256 | 6000b0b989f998721a436294591a1172dc523437fdd6abd07437923f7c3266ea |
| SHA512 | 8c4d4bc82d04576a8a6b962c4242a1b0de2ee25425ba1451584476744bdb90a967c9b38d534e18f7a23e3445711f149dde58e23f27420cef621f932da2997ff6 |
memory/4112-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4928-21-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c743c215ef68813e9cc876089a27f8e6 |
| SHA1 | aa89cc96faddb23260e4d57ed82b59ce045de227 |
| SHA256 | 82ddba550adf7fe4e4f24ad8ab0108e6f51e8144a69192362fc0e6ad965c75f1 |
| SHA512 | 4e33b3a7919528a9cda687e0731cfb14e9087a11f6405fd48149937e621b190c4504fc42a527833dd0d0895e36de7e3949a53cb756bf8faaf5a989165db8a940 |
memory/4112-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/728-27-0x0000000000400000-0x000000000042D000-memory.dmp
memory/728-29-0x0000000000400000-0x000000000042D000-memory.dmp