Analysis Overview
SHA256
78c32afbbaf6a20df144c02382a3c2dcfa5fa39d7f5832d307cf0cb1c2111c46
Threat Level: Known bad
The file c3e2e57457315508b392071b2a21d1e0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 19:45
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 19:45
Reported
2024-08-15 19:47
Platform
win7-20240704-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe
"C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ea17bb1f3f9bac43c64d115bcf0bf690 |
| SHA1 | 6ecd45587157f5e7b4f57600f5f1721ca3480eac |
| SHA256 | 13b9657cfdcc915ef7625b1e06ec511a2b6d5e5d5acd70e66b1b24fa55c8ff64 |
| SHA512 | fdb0736e9a6240290b736f8c4873ae9b2b6f437d5659352f97cfa7449d67737993f9b35067d8c1a131ea0139eb33fdf699b5ec7ca239bbb8b62db512efb32c30 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 5e7ba41294dca1e3b3dba209b11ad0f2 |
| SHA1 | cff31700cbb8a5192d7f1880f44e831c8446cc08 |
| SHA256 | 86e835c862b490b04b70f74dda4e5f2b9dcc2dcedee06ced3d84c38399633693 |
| SHA512 | 4e44df3e3a8ef7c560272767b994ac34fc0ccdb43540010e49a02da8c4fc7f4fb77a53dde5f9c402dbcf3db8dfbd3832640de1ed8504e939c696eec1a45ddc46 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1866b0dae7e295508ac3d7b6403beecd |
| SHA1 | f8a0e249a644efb7ee3b5454c6c16a6ce4132588 |
| SHA256 | 440e29cef8a4a244b85b72c3a69332c3040a6b1710d2976dba9e7fc11c996b0f |
| SHA512 | bd12d3a42ee6bf2a61a5cd5caf1afd01a0c7252f96593738a419cee1e2a40a51b34e414c734877ae2565a725aee5f1f52c68e1dcb73b5e5e03ffc57ef4aa40e8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 19:45
Reported
2024-08-15 19:47
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3216 wrote to memory of 4656 | N/A | C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3216 wrote to memory of 4656 | N/A | C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3216 wrote to memory of 4656 | N/A | C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4656 wrote to memory of 4040 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4656 wrote to memory of 4040 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4656 wrote to memory of 4040 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe
"C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ea17bb1f3f9bac43c64d115bcf0bf690 |
| SHA1 | 6ecd45587157f5e7b4f57600f5f1721ca3480eac |
| SHA256 | 13b9657cfdcc915ef7625b1e06ec511a2b6d5e5d5acd70e66b1b24fa55c8ff64 |
| SHA512 | fdb0736e9a6240290b736f8c4873ae9b2b6f437d5659352f97cfa7449d67737993f9b35067d8c1a131ea0139eb33fdf699b5ec7ca239bbb8b62db512efb32c30 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 9e9b33808330dafe5c10f2c6bec2e4d2 |
| SHA1 | 5b9ce8fa9712eafb77fbcbdf86762b5a9b63b742 |
| SHA256 | 0932f3a5130490e51e94dfaa9bac401b8f795aa8de4a973c215c7427cd59d962 |
| SHA512 | 230ffc8136bddf62ec7c75141e8e2ae6e76c9d224b2ba56b877ec23c730cf61bf7e9a0f712040b28abd66479f76dfa9ff5369784685411fa47f9839e342992cb |