Analysis Overview
SHA256
a81da101dada6a966c91f846c342cd26f61fbc4271bd4428af369bcb40305500
Threat Level: Known bad
The file efa4fc3052b2ebfa8734041bd700b540N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetThreadContext
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 03:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 03:22
Reported
2024-08-16 03:24
Platform
win7-20240704-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2176 set thread context of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe |
| PID 3028 set thread context of 2628 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 584 set thread context of 1932 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 636 set thread context of 1828 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
"C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe"
C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2176-0-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | df60ecfe7e04fadb083f36923e02606c |
| SHA1 | 743c5eb0057bbfd0bce93ade4aa762cec4cecf20 |
| SHA256 | e51cb7af47b47c2e65b23f65b0def2a94ec4e383355feb8749323733db5f85e7 |
| SHA512 | 237b8dc660080819d78430d5a0ed4f0ff2496e6ac4ea10158572a555b20ace18036a03c6368a5e451f04c96d9c58b63d2e7b95e12d6ca170ccbd68c2a1958252 |
memory/2176-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2196-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2196-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2196-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2196-14-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2196-13-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2196-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3028-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3028-31-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2628-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2628-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2628-41-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2628-44-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 8ec1629f26be79609bac85b123335ce4 |
| SHA1 | d3e893f8b0da3787078450b4031aa2013fdea1b6 |
| SHA256 | cbe6d4743bb71166278eb7f592a83a5a47df6808c0b0478e7781815283851419 |
| SHA512 | f017ff14ed8dbb1a0037ea1627dc62b95b941c952fbcdaf085d27bb1b5061be2ca54fe0aac3d0a657a1658cf68190068f750b52341c34e989504d679193d5967 |
memory/2628-47-0x0000000000780000-0x00000000007A3000-memory.dmp
memory/2628-55-0x0000000000400000-0x0000000000429000-memory.dmp
memory/584-57-0x0000000000400000-0x0000000000423000-memory.dmp
memory/584-67-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b0fd1940ed1231863295227f9beaad0c |
| SHA1 | 1b00ba4a9adaede3f53674a6459c9e9f4dd03c2c |
| SHA256 | 72ebc0f2372da772ccee636eeb8a662cee2647944bac2fa55f901b4002bb4f73 |
| SHA512 | f06e81f1b0dd8e3e9a91bb757953c002caf23e7da02043bd303642f682eb7e57e3bf325d2daa3e49977bad4a8b31f2808b7ba9b26129e0e53963c1d97de6536f |
memory/1932-78-0x0000000000230000-0x0000000000253000-memory.dmp
memory/636-80-0x0000000000400000-0x0000000000423000-memory.dmp
memory/636-88-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1932-90-0x0000000000230000-0x0000000000253000-memory.dmp
memory/1828-91-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 03:22
Reported
2024-08-16 03:24
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
127s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 544 set thread context of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe |
| PID 696 set thread context of 1816 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1356 set thread context of 1248 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 5028 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
"C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe"
C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
C:\Users\Admin\AppData\Local\Temp\efa4fc3052b2ebfa8734041bd700b540N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 544 -ip 544
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 256
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 696 -ip 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 288
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1356 -ip 1356
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/544-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2920-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2920-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2920-3-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | df60ecfe7e04fadb083f36923e02606c |
| SHA1 | 743c5eb0057bbfd0bce93ade4aa762cec4cecf20 |
| SHA256 | e51cb7af47b47c2e65b23f65b0def2a94ec4e383355feb8749323733db5f85e7 |
| SHA512 | 237b8dc660080819d78430d5a0ed4f0ff2496e6ac4ea10158572a555b20ace18036a03c6368a5e451f04c96d9c58b63d2e7b95e12d6ca170ccbd68c2a1958252 |
memory/696-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2920-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1816-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1816-13-0x0000000000400000-0x0000000000429000-memory.dmp
memory/544-16-0x0000000000400000-0x0000000000423000-memory.dmp
memory/696-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1816-18-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1816-21-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1816-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1816-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1816-29-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1356-30-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d4476fdeeaafeba33846c6cc08b8f03d |
| SHA1 | ce03ea4d470f1aaec2a4c6cbe289afcbedddb821 |
| SHA256 | 08a7fd032fa0cb1172433bfd9ccf5585eabcf27b6e8fe894c803dabf939b975b |
| SHA512 | 3337a466d4dfb1a6c83048cebeb81878c6d5a43652a4992d77039fd91de2c8552cbaf21fb4be46fabaf7fbbea8777bd60dadb4e50e854535525579a5bcc2f6ec |
memory/1248-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1248-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1248-41-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5028-43-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2bc34dda4d90dbb944c31c3185768ac8 |
| SHA1 | ee24d474e73d49d25f3bae4751ea5e717f52d38f |
| SHA256 | 3e88e3ebc47f922e6071179da3a873797ab14ff25ed6c4d4ec6305ca3f8ef319 |
| SHA512 | a79732a672b1c562b454716f0e591cea541c64bbecc76a47b028cafd088a42a1acb247fce817a042924f09df84970211c522ca1299ce9858cdbf7d59f2db2895 |
memory/1600-47-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1600-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1356-50-0x0000000000400000-0x0000000000423000-memory.dmp
memory/5028-52-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1600-53-0x0000000000400000-0x0000000000429000-memory.dmp