Analysis Overview
SHA256
3a73e9b1c86c2e105c55766540135595d57918a0f1b0aa9cd25b190657e0e1ba
Threat Level: Known bad
The file 8992e6eb0fd56c721b26387d481c3df0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 12:36
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 12:36
Reported
2024-08-15 12:38
Platform
win7-20240704-en
Max time kernel
115s
Max time network
123s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe
"C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/560-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e413a512d96370a36188aef9e00e0301 |
| SHA1 | 48d43cd76b087f0cde4d27f8bbf8c3eaffae0dfd |
| SHA256 | da6b862db670af3667fbd83e5a57438e0186a41ca3aeef5fc8e8269571f9ebad |
| SHA512 | 310404879c1f2ad6c4d18ab47b123777ab188290b99b34a255c95a3bc3079bb9d222c9ecf9bf45c95aa4eea6ecdc5ee48f8623fb38380991428f09b5c1e99e8a |
memory/560-9-0x0000000000220000-0x000000000024B000-memory.dmp
memory/1696-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/560-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1696-13-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 5b9f6ce47afb6062ec2bf02c777e2595 |
| SHA1 | 0ed61dbd5a82127ddc8cfe8f6766ff849e706d4f |
| SHA256 | bed855b4c75263fe9969b830b40a9624ebc53fa9f18c1c5ef3ed23685a77d912 |
| SHA512 | e10650194da441d3e1195f5ac9b81ce07c56bce52d5133aca9348d8bc8410dfe01323cad715c2e1f2ad058c42050a634c1e650616c985abb434021375ffc9375 |
memory/1696-18-0x00000000022B0000-0x00000000022DB000-memory.dmp
memory/1696-24-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2376-26-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b13958f9d0ef5298c057eb88ce394cef |
| SHA1 | e17e429b5f94e3906556c67ddda0a5e431295c82 |
| SHA256 | 3f0777675a7505f2f9f0544685b8aa76ba02737281e42d822e691db765ba8ecb |
| SHA512 | 73f1cd3632c6376852b358212fecc9e89356d3fe1a8ac69c36379f1a159fc11e44ed6fcb7360fb7e078c455e82be81c9d1c1785a4fa458b9635832a54a50c88f |
memory/2376-37-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2376-35-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2992-39-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2992-40-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 12:36
Reported
2024-08-15 12:38
Platform
win10v2004-20240802-en
Max time kernel
116s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe
"C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/556-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e413a512d96370a36188aef9e00e0301 |
| SHA1 | 48d43cd76b087f0cde4d27f8bbf8c3eaffae0dfd |
| SHA256 | da6b862db670af3667fbd83e5a57438e0186a41ca3aeef5fc8e8269571f9ebad |
| SHA512 | 310404879c1f2ad6c4d18ab47b123777ab188290b99b34a255c95a3bc3079bb9d222c9ecf9bf45c95aa4eea6ecdc5ee48f8623fb38380991428f09b5c1e99e8a |
memory/828-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/556-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/828-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4bab35a0fc89b684857d3f93111e8d4a |
| SHA1 | c2a083e8dadfcbaa2cecbf3c17ff823ae00e23bd |
| SHA256 | 1874a816b3118bdb6c8e4ed6d902136ed508de9bebf5ddb2d3bf93974e30f3f4 |
| SHA512 | ec1500067e2e466bbfa0adea7d18390634db893af902cfc2275fd233e074d609082bc4f6f604437cf928b78bb464c0860f08140fc102d46c925870ce5e5bc224 |
memory/4868-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/828-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | faf87c5146cc57e302b16eb69d84d347 |
| SHA1 | 3cb8f4bd5a8aad3d13edb69265312db60ffe5276 |
| SHA256 | 01dbc9e2d36bcc852099c82c85bdc99937000ac40a8afda3a6eb1c4c33df6927 |
| SHA512 | ea9ff6077ff02fe8ec9e0aff3f4af89d73aa11cf54a143e24673b1b4aedfd66919a0ee1d5960ac0137903c2b897a4534ff6f2c98d3be933b6da467ddd29d0316 |
memory/4868-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4880-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4880-20-0x0000000000400000-0x000000000042B000-memory.dmp