Analysis Overview
SHA256
f3e7542357ba53f7b28b1e02795a81bfab6dde6a0bd8735c55d588fd9f20edf2
Threat Level: Known bad
The file 4a3f11749bc8b703f5db7e870dbedc80N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 10:15
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 10:15
Reported
2024-08-16 10:17
Platform
win7-20240705-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe
"C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1984-1-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4ffc9955513891d6bb348e88762b44b6 |
| SHA1 | a09b5ce1e090a139315f08635d257e0739ed278b |
| SHA256 | d24a71794becdd42494c2764400e88a4ada576fd21e059855515fa2307c299bb |
| SHA512 | dc8ecb4604d6dbff62f0efc0ee69a502c3688b65441e238392acc8f9c7ca2d505ee3adfe854f8e2279d34527e7ef7e16ffd9550f1c099fda02c4f7ca4d9ce225 |
memory/2360-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2360-11-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 4d2564ea9d1e7c4443f95c77c3be4fd3 |
| SHA1 | bc94768c2d2a130916b43638ae7a8085a473dec7 |
| SHA256 | c36e028b980a57f9776be8eccf3a5444f07824d1d0ffab53f7c53e1f38b0e7a2 |
| SHA512 | cb85a8b9d969913540364a0260e75e891835e53fd4ac4e94bc56f6bf3c44397fe44c6e110e91912b5fcfea484b9725eff1f10bad1d887ee6f1db6e08c6f0c2b0 |
memory/2360-16-0x0000000000440000-0x000000000047E000-memory.dmp
memory/2360-22-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 90250173e3fccf3b0ac3ffa257758cb5 |
| SHA1 | a7b747d3b40973fbed5de2efcd19e15751d54460 |
| SHA256 | 8c28c477ae66649d491d0ed079c12e0fdba2d1b2cecf39d9519cc4e69fdedfdd |
| SHA512 | 93a8748c4f39610644711e0760a7ec7f89831c8836364db6b9c4b8b45c6a747f2a3274e324434dbc679bad812c23a9938f77896b23481468e79671c5b2442c33 |
memory/2320-28-0x0000000000220000-0x000000000025E000-memory.dmp
memory/2320-33-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1904-36-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 10:15
Reported
2024-08-16 10:17
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 920 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 920 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 920 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4556 wrote to memory of 764 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4556 wrote to memory of 764 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4556 wrote to memory of 764 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe
"C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/920-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4ffc9955513891d6bb348e88762b44b6 |
| SHA1 | a09b5ce1e090a139315f08635d257e0739ed278b |
| SHA256 | d24a71794becdd42494c2764400e88a4ada576fd21e059855515fa2307c299bb |
| SHA512 | dc8ecb4604d6dbff62f0efc0ee69a502c3688b65441e238392acc8f9c7ca2d505ee3adfe854f8e2279d34527e7ef7e16ffd9550f1c099fda02c4f7ca4d9ce225 |
memory/4556-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/920-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4556-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f4f5efd9df851afd5c8ed9db763d1544 |
| SHA1 | f92d935152833dddb608e716856cea8aeef93e46 |
| SHA256 | 692f3162fdcbf0e2a55cab9070bb981340a481f1e74bef8a8856e7aaf9f72a6e |
| SHA512 | af867245151eedbdaae757509867c21127107efe1f49f4e5787f48c3595487acef0c49c6f747427da19defde75c7c8ee9198d665ab2d66c291be8eb75addb90b |
memory/4556-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/764-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/764-14-0x0000000000400000-0x000000000043E000-memory.dmp