Analysis Overview
SHA256
fe4a2d792ff169f99472b5b292c16336e14ddd84503a0c6da704cd9567214617
Threat Level: Known bad
The file 3767df70d7bb9230c39c911033f966e0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 03:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 03:38
Reported
2024-08-16 03:40
Platform
win7-20240704-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1620 set thread context of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe |
| PID 2816 set thread context of 2176 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3000 set thread context of 2900 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1932 set thread context of 1404 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe
"C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe"
C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe
C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1620-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2196-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1620-8-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2196-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2196-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2196-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2196-11-0x0000000000400000-0x0000000000429000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bf5efc7775a0ade7b6ab8a01b3e02e02 |
| SHA1 | 5633e874b2660d3436039fa7a3af996c1a675004 |
| SHA256 | 66d5de6a6ffb46a9a67f365fe9580dfde217ae269138e5faf0baaa55171058a8 |
| SHA512 | 1bc062bf68b11cd2adefbffcfbdbaa0cad14b583be5c977481ce2fb657d3588ec2604a35e8689825291a1e945c4d4629e7eecda7aa52a6f55d3be13f5ed2b853 |
memory/2196-20-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2816-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2816-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2196-35-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2176-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2176-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2176-42-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2176-45-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | b85434aa8e125df6e59b9a498e3b6f3b |
| SHA1 | 525cb6edeecf87dc5ba5808460e2f54362609f1c |
| SHA256 | 5fc72d7a62a3a5754ab881376e0bb2c73807f0ab879f0d60c03779856f802a86 |
| SHA512 | 7fa5d01cbb6f5e6a910bdd2ea1e3e15fa6fefd35aadf6da2c5964a5cf795424eed9e3b55ecff4444a0bead2f58b7414a6b6d90a98975aa0849c049141f3369f1 |
memory/2176-49-0x0000000000320000-0x0000000000343000-memory.dmp
memory/2176-59-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3000-58-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2176-56-0x0000000000320000-0x0000000000343000-memory.dmp
memory/3000-69-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 58ae6e81e25a8595eb0cfe69833cdc3b |
| SHA1 | 368c4817ca5f85d762d3f303e48e495996560c3e |
| SHA256 | bcf03fddbab80848669f188cbb5d7a1644cc7b2b92afbbaf065d20dd194e8ce8 |
| SHA512 | 08e397f7e9c06c163a8f152eabf9dee6c27d6b25a44c9149f3accff50b5aea78edb3c69d5db671a2ec8bde3838ee349a069ddd82657a69aea990705614190f5e |
memory/1932-82-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2900-80-0x00000000002B0000-0x00000000002D3000-memory.dmp
memory/1932-90-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1404-92-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 03:38
Reported
2024-08-16 03:40
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3016 set thread context of 468 | N/A | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe |
| PID 1416 set thread context of 2716 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1392 set thread context of 1056 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3908 set thread context of 1504 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe
"C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe"
C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe
C:\Users\Admin\AppData\Local\Temp\3767df70d7bb9230c39c911033f966e0N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 272
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1392 -ip 1392
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3908 -ip 3908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3016-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/468-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/468-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/468-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/468-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bf5efc7775a0ade7b6ab8a01b3e02e02 |
| SHA1 | 5633e874b2660d3436039fa7a3af996c1a675004 |
| SHA256 | 66d5de6a6ffb46a9a67f365fe9580dfde217ae269138e5faf0baaa55171058a8 |
| SHA512 | 1bc062bf68b11cd2adefbffcfbdbaa0cad14b583be5c977481ce2fb657d3588ec2604a35e8689825291a1e945c4d4629e7eecda7aa52a6f55d3be13f5ed2b853 |
memory/1416-8-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2716-16-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2716-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3016-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1416-18-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2716-19-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2716-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2716-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2716-26-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1392-31-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 1ef58768c1edb0783fece221edd200f0 |
| SHA1 | 6d4cca2dccc2ebb4b0857c65a689ce35e46409da |
| SHA256 | 60f2c9dca7ba8cacae7f559c9dcc771aad23477914ba96fdd90177b32573fd63 |
| SHA512 | ff66f6f3f90e48c62d83c697d2d061adf5b71802d4a4472e64d35816ac5e88797f3687c8a1f6515de6302d19d70d2b1f56551b802bbedb4ad942d72512b02500 |
memory/2716-30-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1056-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1056-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1056-39-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | acd94c174689bb1d745d770f0ff070c6 |
| SHA1 | bbc44d86ccb06d10ed5937e4d8cfad686a9b81dd |
| SHA256 | 52e900ba321113cd3682ac9fa8c8df9325b135d3227a27c2188d7be7eae18318 |
| SHA512 | 13268dd57685e850271469ec2347309f461700f633317b4ff7c265754234a1ba9de23bac638dbc89f79146a378dd260d2215a19552acf83aa9eea09247783089 |
memory/3908-44-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1504-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1504-49-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1392-51-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1504-53-0x0000000000400000-0x0000000000429000-memory.dmp