Analysis Overview
SHA256
3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09
Threat Level: Known bad
The file 3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 20:39
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 20:39
Reported
2024-08-15 20:42
Platform
win7-20240708-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe
"C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/3032-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8050f6321b39745952ab54a16b276363 |
| SHA1 | 934affe14fb4dee9f69efef3ae1a9af98dcc4453 |
| SHA256 | b7880f899721e0ce1c39ec75a290b3bc9d0faa00aed232911415c92145c17c57 |
| SHA512 | ab4a3c132a0b649209ef32e97fa2a8c5070472cbe3997451dc908373e38be4173f8c142a9799bde30dd0bc5895a1353126ce5e92b21f4398ed4cb346656b1eb5 |
memory/3032-3-0x0000000000220000-0x000000000025E000-memory.dmp
memory/3032-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3044-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 75897be4628e235ce8d4f1ddd3254e93 |
| SHA1 | aebc1818a4d9556ead8ed35f93e62116402dff5f |
| SHA256 | 870634ab300f5bf8404de1d300d4a2982298735913d88b98bf90eb7432fbbb29 |
| SHA512 | f99cce74db97dd406b9939d71431cd90150745915c80d9c8cf25cf8debca886fc90f2ba72f20b8e4fff8e9890e772af868e9dbc83c857cd9962572875271d2c2 |
memory/3044-25-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1392-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3044-18-0x0000000000290000-0x00000000002CE000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 9215a48600163fd40515ee64776c6daf |
| SHA1 | 1e0b35f2cb8495d5479500167c294ecaf8e4d065 |
| SHA256 | d9f680c1739f2551b104630fe7e15adb215ece02460fe20822335e8f088a00c6 |
| SHA512 | 6623d946dfac49b03a4055d065e2c459a2bc05c5280cccc910d6448de56d67fa5429117de8874103086ff3f4dfb22fe06eb2d35f5a00f75b9d26b5cc761fc756 |
memory/1264-38-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1392-37-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1392-35-0x0000000000220000-0x000000000025E000-memory.dmp
memory/1392-34-0x0000000000220000-0x000000000025E000-memory.dmp
memory/1264-40-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 20:39
Reported
2024-08-15 20:42
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe
"C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/4192-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8050f6321b39745952ab54a16b276363 |
| SHA1 | 934affe14fb4dee9f69efef3ae1a9af98dcc4453 |
| SHA256 | b7880f899721e0ce1c39ec75a290b3bc9d0faa00aed232911415c92145c17c57 |
| SHA512 | ab4a3c132a0b649209ef32e97fa2a8c5070472cbe3997451dc908373e38be4173f8c142a9799bde30dd0bc5895a1353126ce5e92b21f4398ed4cb346656b1eb5 |
memory/3872-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4192-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3872-7-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3012-11-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 2d785a9dd42b37640bb87739bf2c17fb |
| SHA1 | 73d585e39773fdae0c4a6811c2233dca8635b6f9 |
| SHA256 | f6bb6d886440c02bdc581b5e03b68dd232766d417eefa2d846add265f73f88fb |
| SHA512 | 971b7b645e708f94ea7193bc79dff1b996a6e04eb178e67e48d0b635e5da098507241e276ffc779fab2b2be992399416eb152acf0a2ecef1bae1c0697f2daf2c |
memory/3872-12-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5f98d89023cece35f990734a21f05e5f |
| SHA1 | d5c3ce9e9960335e567c50cd733abe3da4849e31 |
| SHA256 | d38a3004e232c30e290ba750a11e7ef7d0374b4374aa34676fcd524742daa10f |
| SHA512 | c0e16ae358da6e26a765763d24ac771f452e2d5902b76743fb873a45aae8704ceacba8fc0410eccc6e8695bfd3d9b81d4df88b9e2c020d90ce6f25b119093671 |
memory/3012-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/116-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/116-20-0x0000000000400000-0x000000000043E000-memory.dmp