Analysis Overview
SHA256
a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136
Threat Level: Known bad
The file a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 01:21
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 01:21
Reported
2024-08-16 01:24
Platform
win7-20240704-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe
"C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2900-1-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2900-9-0x0000000000220000-0x000000000024D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2d463611deac729a3c81eb8d17d0e722 |
| SHA1 | d95eac8731193ba20eb711ec4ffaf33aeb6eaca3 |
| SHA256 | d172a64ee8948c41e869a35138d67791708460aeb216c5dcbb82bdceda4a1f7b |
| SHA512 | 8e23086e2bbdf4751c6f47e55b0c6a2faa698fac68b605237ea4395c159d8b3b65abd705df526ba53fb7f48eb72f541b382583ab8be9420c0e994e0d936c6ff5 |
memory/2064-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2064-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2064-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2064-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2064-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 5c3a8d0945bb9c8e8c7c766e1b4bc141 |
| SHA1 | f701bc8cb1658cfa6471126e94b3bb0c722ca35e |
| SHA256 | c064fb75ae25f69fc387f7f201b375e9cf40cf121901e6d80ddc6ec9fd232aad |
| SHA512 | 3ce002949a18b80501f92d73446988882e7c76dc5224bf88c537d436dc18b9e14f5cc3eecd0b3e536250102e2cc8a80f46bab4e3177356e436953db6fc542b4e |
memory/2064-25-0x0000000000280000-0x00000000002AD000-memory.dmp
memory/2064-33-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 400698190fbb382296834595d9d344de |
| SHA1 | e00d691eabf38483c63d8d946a72508f953d01b3 |
| SHA256 | 8599150c8a7c8e3a7f5a5437d62e677e8d27f6f065624b47281bb33f055fa170 |
| SHA512 | 027b59d751e86c0e0d0d592e40c63d25d1f2d9052cea5c13572d8d5b9fc96ee8f3310a87a1c075af35a0191ab737ef3199dc2be5597cf8c287f7e031378c1579 |
memory/1952-40-0x00000000003C0000-0x00000000003ED000-memory.dmp
memory/1744-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1952-39-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1744-48-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1744-51-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 01:21
Reported
2024-08-16 01:24
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe
"C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/3868-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2d463611deac729a3c81eb8d17d0e722 |
| SHA1 | d95eac8731193ba20eb711ec4ffaf33aeb6eaca3 |
| SHA256 | d172a64ee8948c41e869a35138d67791708460aeb216c5dcbb82bdceda4a1f7b |
| SHA512 | 8e23086e2bbdf4751c6f47e55b0c6a2faa698fac68b605237ea4395c159d8b3b65abd705df526ba53fb7f48eb72f541b382583ab8be9420c0e994e0d936c6ff5 |
memory/2916-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3868-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2916-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2916-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2916-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2916-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b1b79180ec906a75af9feb2fc1f337f1 |
| SHA1 | 001ae13e3a8dc464f46d6f3da128540d74f2dcf6 |
| SHA256 | b5613ca42ffb0cc1851b88e6b972a223ca3ac7be883c0a0b2040aa58efaf8204 |
| SHA512 | 37ba71cbd387ab0539a9fc6b6138f68027bec34ee482e02186e43964dc9368f88da0d48c86b9c6c2b143c30503d376f85daf4726cee9dbb74f683f41e6fbd8b1 |
memory/5004-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2916-22-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d7e714d542d9cd8b3aa5fd0e1f38054b |
| SHA1 | c5e1db8847aad4b71ff49785ba56f30c1f8e5042 |
| SHA256 | 222211b9dcdf64ef1bff42448e8ffa034e1e1925fecf46fd8e0ff6eea8838e36 |
| SHA512 | a5f15a59acc27b024707c5a0866cdafa3da292e6de226d13d96380857c2d7c09769a2f2a184cdbbe7b42f1d1746b376165a5cbd3adbe4e884ac4bd8567558531 |
memory/5004-27-0x0000000000400000-0x000000000042D000-memory.dmp
memory/436-28-0x0000000000400000-0x000000000042D000-memory.dmp
memory/436-30-0x0000000000400000-0x000000000042D000-memory.dmp
memory/436-33-0x0000000000400000-0x000000000042D000-memory.dmp