Analysis Overview
SHA256
b52f3ec3d5ee78c2ce147ff2f2d85dc2cf8d65b10723520602cd8493aaa1b5c7
Threat Level: Known bad
The file 741ff93c21af15ccbdf259b024cebb40N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 11:49
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 11:49
Reported
2024-08-16 11:51
Platform
win7-20240705-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe
"C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1544-1-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e962b62a32c1ce8c318da671b6df941d |
| SHA1 | 6d8afb4952d4d6907bca9182b70240af31871f43 |
| SHA256 | e546025fed31886798f7e47b9803205206ad4fd45eacd7729e357eccde1f81f1 |
| SHA512 | 400396347e1a39997b77e3724424ba4e484f6ee294c8337fcde5fb2915be1beef5aba85d29e16a7dc7c6c0bc198b229dbcd384a62e9d8338b1714af5fa8a27de |
memory/2696-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1544-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2696-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | e90611d086b27c44b6e66f261974d4f7 |
| SHA1 | 4056441fced54e46dd6b6fb5cfa973dd8b744c1e |
| SHA256 | 7a7a47c33d631a6df34f48cc45ef744497583dfb6c0779aa053e8e7405f6ab27 |
| SHA512 | 9fb46fd73717ea9a3f836588a19202f8953b86502a82e9d2990bd3733e28667f8d0b2d9209370adc6a3651529b75c8aaab8e092505950935a276c3910f1732ee |
memory/2696-17-0x0000000000290000-0x00000000002CE000-memory.dmp
memory/2696-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2424-29-0x0000000000220000-0x000000000025E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5e3bf003c304180174bb751df622f63a |
| SHA1 | 61b396b49ef2c56de6c5e46e7d1fd76f38428280 |
| SHA256 | c601cc325fa1d15c495a46e56774382477c0d2b22c56e2c02ee1588f26a66403 |
| SHA512 | 54f61d6644da98718db2f7882067aa2db5bc2a771b2f24c8a4c49eafaf37eda9652878408adbd9ec4f1dc7d2f101c255ce795e5820f41ec452b9893fd76216cb |
memory/1744-36-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2424-35-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1744-38-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 11:49
Reported
2024-08-16 11:51
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
123s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe
"C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/624-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/968-4-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e962b62a32c1ce8c318da671b6df941d |
| SHA1 | 6d8afb4952d4d6907bca9182b70240af31871f43 |
| SHA256 | e546025fed31886798f7e47b9803205206ad4fd45eacd7729e357eccde1f81f1 |
| SHA512 | 400396347e1a39997b77e3724424ba4e484f6ee294c8337fcde5fb2915be1beef5aba85d29e16a7dc7c6c0bc198b229dbcd384a62e9d8338b1714af5fa8a27de |
memory/624-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/968-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 78859c48701f5c431bb3f0bb2e921127 |
| SHA1 | efa7431f7fa3f269ed5bb6e89449b8a72170c8b5 |
| SHA256 | 1b7a2f85e5c1fed912cd41d4416ce8f15a4e376f4cc652ce14d254cf726eebdf |
| SHA512 | bd7fc429f344f11e640191aba261511fdc479d86e75f5252eef95d260f583fd3b0e2d8dbeebb25b5cbd546922ace3ee1ec480ea09aeeb41cddab74c91cee0d11 |
memory/1612-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/968-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1612-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/408-18-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8ccbdd1d5f233c531c344f23f7823a75 |
| SHA1 | f6198d41151ddefd79e5e4568b1d54f97af6c9e0 |
| SHA256 | 5d5b0aff2d6c7fbda3746bc4cc86ac2d1ff17cbad222123ebe9cab2cdd8fe945 |
| SHA512 | af6ebba4ab4e9a29dfd02788d84a3272f91ab5b5de3535f96362310acf7167a971e004f9accbc47e85b20aab13da07946b14a56e036c71d450e4dc5e039c3306 |
memory/408-20-0x0000000000400000-0x000000000043E000-memory.dmp