Analysis Overview
SHA256
7a2b390ed6c2efe72e1c7458e640555cb3e70abcbd6f6021bfd598734558b312
Threat Level: Known bad
The file 73917747d0bb260e7f6224e9ef89b170N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 12:36
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 12:36
Reported
2024-08-16 12:38
Platform
win7-20240729-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe
"C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2412-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6699b4b99fb87a6ee0b6519ef430d309 |
| SHA1 | 0bc9e17404c33fee3205a85c405fa9f039cc79ad |
| SHA256 | 7cdf086cb3dedceef0a7bcfa2b598e7013f975bc30353306eb35f4a00c22e9eb |
| SHA512 | c603496cd615d3ff3e972b6b13cb2f09af0b2e5a659d22a7a20d7643b505d11cebf1e4b7a12bb4559a7326a0375414434c0e53080dba8d7b1fc3d370de486ec9 |
memory/2188-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2412-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2188-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2188-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2188-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2188-23-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 1c5561101bd6e6b6c1939994335f484d |
| SHA1 | b0390cd052f4e141192941ba6be80cc188f9c258 |
| SHA256 | b3dc85093e7b43b149ee7998f46ed85721535d2e0ee31af6d43910274df920be |
| SHA512 | c0c00f42c397f601e17da64b41825fd18934c7b3c75b9f47359e8dbf58665b5a82ce7721b85736cb9d5c5d49f47ba19351eeb63bd8a714a1a19bef6e9b9e47c1 |
memory/2188-27-0x0000000000430000-0x000000000045D000-memory.dmp
memory/780-35-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2188-33-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ccaee2918aa0dcc91478005f88fc9467 |
| SHA1 | da1dfc1d835859accb011c18ed9dd2afd0edce0e |
| SHA256 | d54a20a4546cac3bc7f75326063344372c968e6cf52b2c19299adf9e940be907 |
| SHA512 | 704a0975cb3650d049bb84e498129683a60bce04eb10485bcdd06b10666ab4663c66f271044872ac8ce7f8e3bb9966021ed17c579976195b9d9523f3814d2b69 |
memory/1820-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/780-45-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1820-49-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 12:36
Reported
2024-08-16 12:38
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe
"C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2000-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6699b4b99fb87a6ee0b6519ef430d309 |
| SHA1 | 0bc9e17404c33fee3205a85c405fa9f039cc79ad |
| SHA256 | 7cdf086cb3dedceef0a7bcfa2b598e7013f975bc30353306eb35f4a00c22e9eb |
| SHA512 | c603496cd615d3ff3e972b6b13cb2f09af0b2e5a659d22a7a20d7643b505d11cebf1e4b7a12bb4559a7326a0375414434c0e53080dba8d7b1fc3d370de486ec9 |
memory/1272-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2000-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1272-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1272-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1272-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1272-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4b283b7c8f5ee034d8eee44ff1eb6d07 |
| SHA1 | bd3276b851deee2577ce9f558a56a4734d713cbb |
| SHA256 | 9b9ffbff4fc9075b57ecef65234eb3d1cd54d83367fd8475d0d8cc02bb927b70 |
| SHA512 | 4a2b72bf7e06a809604a14b25ad0a9e5f5a49028013d2273bf704f4285d2f545a7d4305b1ae2302ebc4205a32894f219b16ba17e0f5a163e7bc3acfc2a4157cf |
memory/4140-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1272-22-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 192c640cd317113e9370cfc9a3f708c6 |
| SHA1 | 61c837e59a32d7c62ab8f03e1eace4f341288d43 |
| SHA256 | 7f39d44faa8ddfe0c6d9de3e1a2a7c800f709a10a8deae80632cecab0e5c8758 |
| SHA512 | 26bb029a94666fa487f61d8b767a529bf09da8a9829d607d713d16599a7345e9e8dd11d3e2327f9036d704a492d3d9975943974206598a71c109202a20fa47ae |
memory/4140-28-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1756-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1756-30-0x0000000000400000-0x000000000042D000-memory.dmp