Analysis Overview
SHA256
a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea
Threat Level: Known bad
The file a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea was found to be: Known bad.
Malicious Activity Summary
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 01:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 01:25
Reported
2024-08-16 01:28
Platform
win7-20240708-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2636 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe |
| PID 2800 set thread context of 2688 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 468 set thread context of 536 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2708 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
"C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe"
C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2636-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2632-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-13-0x0000000000230000-0x0000000000254000-memory.dmp
memory/2632-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2636-7-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2632-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-12-0x0000000000400000-0x0000000000429000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 21e7b0a03be7c0784f8332a2b526a504 |
| SHA1 | cac4acebab8a65c41c3d1879033b572f4049a490 |
| SHA256 | 0130b299404ca0d7c564a2fc7c702e114356e25fd81d413be6cee5e394fdabfb |
| SHA512 | 2d8450e2e2e302ce01631bf973104510dbc0f1fcb0bf699cdc36b485c36db326d7254f54fba75cf3015b36b503a96ba887736bc5ec7a101c077e60700d2e3472 |
memory/2632-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2800-21-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2800-31-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2688-33-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2688-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2688-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2688-42-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 3324215b696a04741aecfc4d672a0fc2 |
| SHA1 | 050243072772cb3e3c9b9720c1eb50915f51b2f9 |
| SHA256 | cd766933f30232126cbcb85632f1e65fb482e6449fc79fa04ff24b1213b89f98 |
| SHA512 | 744213908381a190a641d9be29139d46b56f25fecc03d65f799d61007ad4755e2bfd63cea962ed1d0700942daca24d189387628a3f4a624f6116fa16385038e5 |
memory/2688-45-0x0000000002290000-0x00000000022B4000-memory.dmp
memory/2688-53-0x0000000000400000-0x0000000000429000-memory.dmp
memory/468-62-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a315b96d00a6ab6a5586805238075909 |
| SHA1 | b99794e26652ca057619018107951a0bf4122ae3 |
| SHA256 | 15fd6ac46b0db87342c964f5a660e4b5fbe7933a4bebde17062a46863a0ed1ee |
| SHA512 | 308f99e92d31f2b21cf53fabd757f24b8c27f95b8df3b1cd0cda6fb8ee11a38c93aafb2993c845a5d838e15712331a67c4f21d9edfa30f3d14bdf91c806f3e68 |
memory/2708-75-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2708-82-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2308-84-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2308-87-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 01:25
Reported
2024-08-16 01:28
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4512 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe |
| PID 2696 set thread context of 3732 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3312 set thread context of 2348 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3512 set thread context of 208 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
"C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe"
C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
C:\Users\Admin\AppData\Local\Temp\a7a030f83d53dbdc2c6ad98e675a6a2bc209f1e182665748257a79faf7b1adea.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4512 -ip 4512
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2696 -ip 2696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 292
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3312 -ip 3312
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4512-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2632-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2696-10-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 21e7b0a03be7c0784f8332a2b526a504 |
| SHA1 | cac4acebab8a65c41c3d1879033b572f4049a490 |
| SHA256 | 0130b299404ca0d7c564a2fc7c702e114356e25fd81d413be6cee5e394fdabfb |
| SHA512 | 2d8450e2e2e302ce01631bf973104510dbc0f1fcb0bf699cdc36b485c36db326d7254f54fba75cf3015b36b503a96ba887736bc5ec7a101c077e60700d2e3472 |
memory/3732-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3732-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4512-16-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3732-17-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3732-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3732-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3732-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3732-29-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3312-30-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 6a7675252c3e0ca1b16a42c772602417 |
| SHA1 | 5342da921243ae550032e576c158f9fd3660cb7f |
| SHA256 | 9475a1b7797ae241ab1e369acfdf207484848df26014759af743f58b25483d6f |
| SHA512 | 9cc920dc4fdc36e5951dd4f816b4a8fbe654745b3f1b15fa68631a8ec9723b1d5be410ab99716e93ce1d6f3c67e3443366d21766d7a183903192804b89d13088 |
memory/2348-36-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b64d4ad6d375545dd147ceb51b97d34c |
| SHA1 | 2b4eeb6a84766ac0d293e4c7afeebe399824b7cd |
| SHA256 | bae33c80109e82cf03c2627134682a0922c9c990a28d8b8db40fb5a1ee119b2f |
| SHA512 | 81d1d7223e9a575181843d4aa85beb8a0ec4f1908b806fccc559540dca81156ef20e9352a5342ee26767b66c7bcb2f6aff336eac7e0e1ff43eff6985566d3d78 |
memory/2348-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2348-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3512-43-0x0000000000400000-0x0000000000424000-memory.dmp
memory/208-47-0x0000000000400000-0x0000000000429000-memory.dmp
memory/208-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3312-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/208-50-0x0000000000400000-0x0000000000429000-memory.dmp
memory/208-53-0x0000000000400000-0x0000000000429000-memory.dmp