Analysis Overview
SHA256
b65d474a32d4b85234f25a9c7d5d09f69915d3114258de39ba657a965c798dc9
Threat Level: Known bad
The file 5a6025ecc9dfcad8539e45923a108fe0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 04:53
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 04:53
Reported
2024-08-16 04:55
Platform
win7-20240704-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2276-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 14c79c671bc50c519dd04fad2b54fe12 |
| SHA1 | 7b9b804ba298e60c20b26db1b5c094bc4f8f60be |
| SHA256 | 26247c5f725d7d567587fc947467a387d3b304e8777867c989ef04c62ce036fb |
| SHA512 | 97cbb66058a3e4d5529e4e76e5c84980a7d7fe0996be25fde5a7a643af328b7b5662fdd5fa64e41b8e54528fe5db8961ac58447c57fe4682f34cbf7a6c4befe0 |
memory/2700-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2276-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2276-9-0x00000000002D0000-0x000000000030E000-memory.dmp
memory/2276-8-0x00000000002D0000-0x000000000030E000-memory.dmp
memory/2700-14-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d764968271f882157d63f5e543b9891a |
| SHA1 | d210b0756d401504dacb66387ef9c83c376e31ce |
| SHA256 | 67f17a223f8fcc67feafacd31a140ec33ab1ec3fbe783826f34076a2f5458499 |
| SHA512 | be9968b76b017bfa6c210739f7c9d2c1a87d77fa185516d1a096fa93f227d694bf8e7957ec2b66a1e3e5136556845a56367dbf55278bfc191a354190636fe41e |
memory/1656-28-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2700-26-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2700-25-0x0000000002120000-0x000000000215E000-memory.dmp
memory/2700-24-0x0000000002120000-0x000000000215E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d2f90a1cfb5a704ab34b4de9281d1b2a |
| SHA1 | 07b4c8512b7c15f6e1768dc34a423b28aadb09d6 |
| SHA256 | cdff25422f6b088daf90ce6d7f88093f27a5414a241bcaab66bfdf4f6974baeb |
| SHA512 | 449daaa16313e417e12dcc092dd5feb31375b707d26bcbdcb7124ca11e95f572baffe89e67e9f07c9e570cfc7467e064b1f0e1ca1c8a18508526699ec9ffd593 |
memory/1656-32-0x0000000000220000-0x000000000025E000-memory.dmp
memory/1656-38-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2344-41-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 04:53
Reported
2024-08-16 04:55
Platform
win10v2004-20240802-en
Max time kernel
116s
Max time network
121s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3652 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3652 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3652 wrote to memory of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2612 wrote to memory of 3728 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2612 wrote to memory of 3728 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2612 wrote to memory of 3728 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 144.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3652-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 14c79c671bc50c519dd04fad2b54fe12 |
| SHA1 | 7b9b804ba298e60c20b26db1b5c094bc4f8f60be |
| SHA256 | 26247c5f725d7d567587fc947467a387d3b304e8777867c989ef04c62ce036fb |
| SHA512 | 97cbb66058a3e4d5529e4e76e5c84980a7d7fe0996be25fde5a7a643af328b7b5662fdd5fa64e41b8e54528fe5db8961ac58447c57fe4682f34cbf7a6c4befe0 |
memory/3652-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2612-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2612-7-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3728-11-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 873f26cf77497b4e3609b1b35d5b2606 |
| SHA1 | 0fc5279f46ec29a034ad4b5208b7ea5848f0a6a2 |
| SHA256 | b8b8126347cad59ab63aa64a22767e4b9f13f0600f0fc39eaa15a9ab167c2744 |
| SHA512 | 5ecf7587d4e82ef978e31e8c9c180c4c3743fa12345c709646f80c296f9cd1b08bdee19877dab9f8ada8517d12c0fe8c295e0d514e72874565846bb3e388785b |
memory/2612-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3728-14-0x0000000000400000-0x000000000043E000-memory.dmp