Analysis Overview
SHA256
a78e3d341536b8ab1540131dbb51643c7681681333ca5f6e4d352b7b2597ba0f
Threat Level: Known bad
The file 43d347556cc54861e67143c0b0837b60N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 07:14
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 07:14
Reported
2024-08-16 07:16
Platform
win7-20240704-en
Max time kernel
116s
Max time network
125s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe
"C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2152-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 55ff185a28b30544cd52af035445fa0c |
| SHA1 | 3140140510f14b982ec71cb2938cf966a7517cf7 |
| SHA256 | 8328b128e8691b466491225a3a7eaf9377389915bd9553151855afe4ac0edad4 |
| SHA512 | 1a2772d11ffe52a2e07fcc10a7e8a7d4c3ffd6edce1e7ea3897ce9184867abfbd0c082c192cdafca1c4d98c7d03c4bedcdb56ce7fcc79a1a9f751e57fd3fdd12 |
memory/2152-4-0x00000000001B0000-0x00000000001DD000-memory.dmp
memory/2152-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1100-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2152-9-0x00000000001B0000-0x00000000001DD000-memory.dmp
memory/1100-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1100-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1100-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1100-24-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 48e8f8962cdc8b0e563fae4f87e033bb |
| SHA1 | 1fe63acd60ee4cf59dce4455ed6759916b95c0d3 |
| SHA256 | f1756d0b5fb7da4b43d5ec1d9fe2cb2a727bab07059062bea9896015a12f10a8 |
| SHA512 | 92ac879c69a69e21012d61a7b785d0a3d9533766d18c54eb0b4f137b1f70b5882f196c25fbed98df357a3b841dc24126345bdd37862ec9c47d64762b20b8ce83 |
memory/1100-28-0x0000000000370000-0x000000000039D000-memory.dmp
memory/576-37-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1100-35-0x0000000000400000-0x000000000042D000-memory.dmp
memory/576-38-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 07:14
Reported
2024-08-16 07:16
Platform
win10v2004-20240802-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe
"C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4488-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 55ff185a28b30544cd52af035445fa0c |
| SHA1 | 3140140510f14b982ec71cb2938cf966a7517cf7 |
| SHA256 | 8328b128e8691b466491225a3a7eaf9377389915bd9553151855afe4ac0edad4 |
| SHA512 | 1a2772d11ffe52a2e07fcc10a7e8a7d4c3ffd6edce1e7ea3897ce9184867abfbd0c082c192cdafca1c4d98c7d03c4bedcdb56ce7fcc79a1a9f751e57fd3fdd12 |
memory/4976-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4488-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4976-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4976-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4976-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4976-14-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7aa55e8976cd752899788997aa75ee4b |
| SHA1 | f6a3239199df61576131d5217aac585926ea98fb |
| SHA256 | 5cee3eae7c87d379e582a0db2469e5c7c7c1eec7de0742903d3fd72626a68666 |
| SHA512 | cdd81c2528a8b62509750a2d6a1ff7a9fdf7ec3ed87ce3c6d9481deec1b19704ce76aebf84e28222e90ba93d2805bcef8db7f512c111617297312dfb007e92f5 |
memory/4976-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3808-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3876-26-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 356c7aacfc473ac4e97c300d153f1c29 |
| SHA1 | 57ddc6859f210bd92577ff30ce9e36e7f9114889 |
| SHA256 | 547b729794b1fab6ae0e51f7cd55565f327a5e865038ac7dfbb60f51f6f4365f |
| SHA512 | 125d650ab94dd1b5b2e5dc9ea6111e92d09c96868cfc366ce16ef294da6baf4bf8d8a2b3a9626264a5ff2fc1d2977c1e23d22470075da478750c0a238fd46d36 |
memory/3808-24-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3876-28-0x0000000000400000-0x000000000042D000-memory.dmp