Analysis Overview
SHA256
dcddbac07050ee051f816a72ae25240804882526850c8e2bb507d3103af75bb5
Threat Level: Known bad
The file e03c78ae2a96d6fccc3c37c42acfbbc0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 09:27
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 09:27
Reported
2024-08-16 09:29
Platform
win7-20240704-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe
"C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e02e8051bba0efb925dca6a1c8fe1257 |
| SHA1 | 63201a56f8e3902bdc41af142acec7bfa3d3e06a |
| SHA256 | f6334a4df39e107f3ad694f6789e0dbb9ccc89c64d524152ee98477ca389fa23 |
| SHA512 | 73ec471d0629d745b74bd2abdf819a0a94d13491618ccdad4444b12b2a97e47a0edd5e567a40ce74d3cad3bc0c25892736689bdd14e44134cacccff4686cb47b |
\Windows\SysWOW64\omsecor.exe
| MD5 | eb7284a780616bb119450645ccda9eab |
| SHA1 | 9ec4cdda8be580319c5ef7c41fdb2f8baa8e41d0 |
| SHA256 | 31791b73cce06ee72b311a67a1b9df84042b60c8ce063c7bb093a522226b0bc1 |
| SHA512 | 1985331a70c91607963afc01b75ddc1bb51b2be0adf6e7708c2fe892488dc09ef1f326754b909656bf90da34fd30c16fc0976949c3daa1b21254d6ca3de30ce3 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ebe305fb651c0d8a8223a51f4394877d |
| SHA1 | df96f86b5a72dcb6a20c7567c8ac3339e0abbc39 |
| SHA256 | 4c3ea3dca27acd6f57239be30ca8d9411b43f38f85cf485d7e1859075c2d5857 |
| SHA512 | 8caab14031e1122b69079e525a4e53f90ef6e59cb4f574c1a8ac772cd683c1c4b43255cb4845ec11d7c17b56cdd411c9f0b7bb82e086bea6c575aa4bbdcf3ac9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 09:27
Reported
2024-08-16 09:29
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe
"C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e02e8051bba0efb925dca6a1c8fe1257 |
| SHA1 | 63201a56f8e3902bdc41af142acec7bfa3d3e06a |
| SHA256 | f6334a4df39e107f3ad694f6789e0dbb9ccc89c64d524152ee98477ca389fa23 |
| SHA512 | 73ec471d0629d745b74bd2abdf819a0a94d13491618ccdad4444b12b2a97e47a0edd5e567a40ce74d3cad3bc0c25892736689bdd14e44134cacccff4686cb47b |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ebb896dd14aefad89f3b79d3e40ef04d |
| SHA1 | 793e1a3838f570ce9b6a20958cebb9592c4bbff5 |
| SHA256 | 3b94d8aaf2986efa611e89f7c69aebb8b497c5c69bf4e4e8eb4938e14ba33bb3 |
| SHA512 | ee9e6838021588275f91abbbdc02bdc0acc190f7724a99d3871b333ecb1a345944618633f26f791d96e4d8378c6efe616ad76339fb0f7984aa318ce6728a5125 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4e2431be28f8125aace4df746b5c247b |
| SHA1 | 28532953f53175be5e2d3c6993bfdaf6b030edc5 |
| SHA256 | 301f925a5f7422f4412b9ab1d4ff1d6caa0227082c2abbcea7ddab211dfe4175 |
| SHA512 | b38a27892a1c8bd9603e5f2353da94d4d227fa444f2f25df1cbccdfd9c82c78b348cf5228407a52999b7604964ef01e7d77c2202bc2339e3f3741f7942c8831d |