Analysis Overview
SHA256
4cbfe83734ff2c5b7698f3c4630c4e12a37d9fe70b5589a1e9826b78942cbffc
Threat Level: Known bad
The file 116225d1d8508bf6004d7b3c8f5e89d0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 11:06
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 11:06
Reported
2024-08-16 11:08
Platform
win7-20240704-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\116225d1d8508bf6004d7b3c8f5e89d0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\116225d1d8508bf6004d7b3c8f5e89d0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\116225d1d8508bf6004d7b3c8f5e89d0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\116225d1d8508bf6004d7b3c8f5e89d0N.exe
"C:\Users\Admin\AppData\Local\Temp\116225d1d8508bf6004d7b3c8f5e89d0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2072-1-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 883b7c0827a462b9b94a06bf5a6cd76a |
| SHA1 | f4645578c672585c3c2d25a7268614faed5dd36e |
| SHA256 | 551965b277e19722ecb4bf36b971d8fb11923a1c0f3130a5243309338896b68d |
| SHA512 | a080b40521ac325b105aebbbdc78bca4411d75b6160a2be55bfef12d56f06544cdecf5f1beef68686f6bdc8824ad8c1cef20f7a85f08326c352adfd99dba3ace |
memory/2072-9-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2188-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2072-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2188-13-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | c8a618a4c5e5f5296d7edf10e1ce17df |
| SHA1 | d8cad5e11ead1e18f1cb81518b505bf540d8cf7c |
| SHA256 | bb0b47be5b4e8c5a910ae761a7ae6bd7ea842d664107bd0c6012749791dabbcf |
| SHA512 | 91aaed2d468f5ef74ef8a80076c95bf8b87b7f765730ada72999ee08d64cf2645d3bb10f5284bd34225166431f5f2d894917f7921bb983fa2f92937fa5ce3332 |
memory/2188-19-0x0000000001FA0000-0x0000000001FCB000-memory.dmp
memory/2392-26-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2188-24-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5120a4bce18ecbc8550b20c7c83110c3 |
| SHA1 | 745c6d5d725f535387b9e8ca916068c15c9f23d4 |
| SHA256 | 4345eb39c3fb710052fc6193ec1decc615fb5d677235d1efe4c6cd23e937ec54 |
| SHA512 | dbf6d177b09852280f6a920a2eef82c0f1cc1a5c74e993f711053c1a45ee88a53c50becd3aba6ab5a00d87929375f26b0f7554bcaec578f2dec93f894664ba8f |
memory/2392-31-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2880-38-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2392-37-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2880-41-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2392-40-0x00000000001B0000-0x00000000001DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 11:06
Reported
2024-08-16 11:08
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\116225d1d8508bf6004d7b3c8f5e89d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\116225d1d8508bf6004d7b3c8f5e89d0N.exe
"C:\Users\Admin\AppData\Local\Temp\116225d1d8508bf6004d7b3c8f5e89d0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4900-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 883b7c0827a462b9b94a06bf5a6cd76a |
| SHA1 | f4645578c672585c3c2d25a7268614faed5dd36e |
| SHA256 | 551965b277e19722ecb4bf36b971d8fb11923a1c0f3130a5243309338896b68d |
| SHA512 | a080b40521ac325b105aebbbdc78bca4411d75b6160a2be55bfef12d56f06544cdecf5f1beef68686f6bdc8824ad8c1cef20f7a85f08326c352adfd99dba3ace |
memory/2756-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4900-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2756-7-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3796-11-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 69f2a0890086ffd7d59f2f98be032660 |
| SHA1 | ecfaa9527243ddefe96c470fe3183edd2e5c22d7 |
| SHA256 | 82ff4ab93cd879e9d799e4935a0d4686cd750badca1f4b89009f2817d8e7175d |
| SHA512 | 3967f91f7ad04cfc3acc7384c3f3705c0e70aeaf22fb56874c1b31dbf3d7875493864222c2fcec7bbd30b74a80eac2f20b461d95d11e3d82dc3ac91ac5aa4ae2 |
memory/2756-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 78cdcef42ff01e8a6990e3fb923969b2 |
| SHA1 | b9a7f32d5aec175e4fb1f8addb6241d5dce7dc47 |
| SHA256 | 2e794d0a7ae105405b4593ee8414ce9d6c8c5484d2228b378cb3e4c948b39d9c |
| SHA512 | 613b682890aad5664d2c7ba1f07835b3679cf7fdb8a7e85b59ad95f36cfaf9314acfe19bb9ede23cf593a28500c57b78e2e9233b3130fbda70b4f7d49d9c97ec |
memory/772-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3796-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/772-20-0x0000000000400000-0x000000000042B000-memory.dmp