Analysis Overview
SHA256
824ef1a7ea9f475f23928204f94d0dc225a41594c3e37f9c52b71975b8447af1
Threat Level: Known bad
The file 0a16a8df051ef209f93aef9f53e36ed0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 12:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 12:34
Reported
2024-08-16 12:36
Platform
win7-20240705-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3008 set thread context of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe |
| PID 2596 set thread context of 2912 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 436 set thread context of 2400 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2444 set thread context of 1920 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe
"C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe"
C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe
C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3008-0-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 28c8ff78d950f72f2735422135c79eee |
| SHA1 | 62005b2538e71c8c18296ddc093d1e7ceb48b9ca |
| SHA256 | 3edb44d2561a68f13463441a1dd1712fe64d1f7ccf802328bc24d615a698ce2b |
| SHA512 | 46bb651c6e15812b884201280f0c66ccf91c20c0fcac473b01ed1b2a223b93695fe259e99cccdeca624ac503156b6bc2909789b218b7d94421ea78cf4d20c079 |
memory/2596-21-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2756-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2756-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3008-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2756-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2756-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2756-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2596-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2596-24-0x00000000003D0000-0x00000000003F3000-memory.dmp
memory/3008-35-0x00000000003B0000-0x00000000003D3000-memory.dmp
memory/2912-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-42-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2912-46-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 557615fd176cfe932e8e14a391ce6cb4 |
| SHA1 | b5562ad16b75f02a8c86f6e2e8c6e74858e96406 |
| SHA256 | 691cfd104f767d31de8fb15a460afd89a1d10f9700c419e07059b1d6d42b18ce |
| SHA512 | 5cb4baeafeca3f4191a4c19ead3fd436bb36d8d6bc1e4301130ef71288fdc19f9716c913492483fc8484faaa6422131429ec0859d64f67437c92466ed6400fe8 |
memory/2912-49-0x00000000020F0000-0x0000000002113000-memory.dmp
memory/436-59-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2912-57-0x0000000000400000-0x0000000000429000-memory.dmp
memory/436-68-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2400-74-0x0000000000230000-0x0000000000253000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 98b9b102a66537f9ad0eeb6ef8bb8789 |
| SHA1 | 07ae6114ccd1e79955ce5339003ccbbff15a6f3d |
| SHA256 | 322466bce86af650b1e14b5c1b8d606a760cf5d3c8306b2b24eb0efd10d6b2b9 |
| SHA512 | 5cf50ff62284b3f3c9390ea9f85d14e63aa852e354917f45291c5e62fe4f28033a76d3db449e70190908e06a699add8c95b30e539c174e462ba9f22549cdef8b |
memory/2444-82-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2444-90-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1920-92-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 12:34
Reported
2024-08-16 12:36
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4956 set thread context of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe |
| PID 2320 set thread context of 3256 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3608 set thread context of 5056 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1156 set thread context of 3548 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe
"C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe"
C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe
C:\Users\Admin\AppData\Local\Temp\0a16a8df051ef209f93aef9f53e36ed0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4956 -ip 4956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 300
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 300
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3608 -ip 3608
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1156 -ip 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4956-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4396-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4396-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4396-3-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 28c8ff78d950f72f2735422135c79eee |
| SHA1 | 62005b2538e71c8c18296ddc093d1e7ceb48b9ca |
| SHA256 | 3edb44d2561a68f13463441a1dd1712fe64d1f7ccf802328bc24d615a698ce2b |
| SHA512 | 46bb651c6e15812b884201280f0c66ccf91c20c0fcac473b01ed1b2a223b93695fe259e99cccdeca624ac503156b6bc2909789b218b7d94421ea78cf4d20c079 |
memory/2320-8-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4396-7-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3256-13-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3256-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2320-15-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4956-16-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3256-17-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3256-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3256-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3256-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3256-28-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3608-30-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4350e7724472d9de86804ece9a8d4d22 |
| SHA1 | 026e757bcf7adbafe36665f918602ac80ec304ff |
| SHA256 | 2860c065bfc818f10d3ee3339bb5e312bcd52a196f70c219c20a019e27860e1d |
| SHA512 | e22888e433d97375978bf0e129f84448fbb9d104ffdbadcc8fef7240788d7e408e46a61796ae353e2c14593ce093e3fee4343c2c206f7cab2bfa881a82e35263 |
memory/5056-34-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5056-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5056-35-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 52bf92382c49a5b40005c625e62bc040 |
| SHA1 | d4aeef25e764b583761ab5c2ca2b8d1e88d7e9ed |
| SHA256 | 52f4170486e07ea3b2a662b8c9feba370ae3958aeb4da1516a2a1970c7c5d326 |
| SHA512 | 158ea95f924b95e5bd8c2843b2f44194a2a5d8659988b490f488aceea89fb8f65b38c13f661d660c74a43f201d3b001c9e5533437ea4f790e5d989bc68d1ce46 |
memory/1156-41-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3548-47-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3548-46-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3608-49-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1156-50-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3548-51-0x0000000000400000-0x0000000000429000-memory.dmp