Analysis Overview
SHA256
32ec54cef7d6ced2cd5c4b62eea890742f53724913f402df4020e4627527604d
Threat Level: Known bad
The file a43f45f3744a0a746e92ada850e2bdf0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 12:38
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 12:38
Reported
2024-08-16 12:40
Platform
win7-20240704-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe
"C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3032-1-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 578ac5f7a098ff228b0276d35fc47705 |
| SHA1 | 60d90c22308f5e2615497b95162d20e260abc195 |
| SHA256 | e6c53763e22f796d6977d1cefa6fc9c608fe4de2ab2596d1c4b1a2cd4cb04ad3 |
| SHA512 | 4128ce085e844fc44887a5946601250075c89d96a8c4df460254afc66900fa2f2591a93c585cdb3144cb79c0c34a8cf1c9e42972af8defa508d41ed5e2d49c84 |
memory/3056-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3032-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3056-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 3e387bee6cf8fb1b9fdfaf4e3aca4e38 |
| SHA1 | cfe4f0d8607ef0f0d0db669a0689fc9d5b21ff5f |
| SHA256 | 7bba8b6a2285531da99890a6b4657cc4fd1474b47580cc238768a508bfc7faeb |
| SHA512 | d334eb3ff4d6e2a4298170112d277346c421f5a1f779fa39dafbd5c99a9a582c9b0a273d9a55b40f5e774b9bd06d718c3a3023b542627bec4c05b2b12fa7e260 |
memory/3056-18-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2164-26-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3056-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2164-27-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 12:38
Reported
2024-08-16 12:40
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe
"C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1552-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 578ac5f7a098ff228b0276d35fc47705 |
| SHA1 | 60d90c22308f5e2615497b95162d20e260abc195 |
| SHA256 | e6c53763e22f796d6977d1cefa6fc9c608fe4de2ab2596d1c4b1a2cd4cb04ad3 |
| SHA512 | 4128ce085e844fc44887a5946601250075c89d96a8c4df460254afc66900fa2f2591a93c585cdb3144cb79c0c34a8cf1c9e42972af8defa508d41ed5e2d49c84 |
memory/2452-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1552-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2452-7-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4932-11-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 82267cb77c0f7cabcf9ae1cb91f3ac41 |
| SHA1 | d0362de4a0677d390fece5499384dc93110ee35c |
| SHA256 | 69e66f70f2d4bc8ef440a4e7536e8d5c0f4f8dd2ce67aefb7fd12fd1598f63dd |
| SHA512 | 482246623ce5576c46e918bb88faa4eec36895c1c5ef42990b8f2b2f6909f9fceb876fb1da3b46eea9f5c897d96cafd79a2fca35dbd0802b6eea3b74052cce17 |
memory/2452-12-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3c4ae9e20cb3049d350c18af85ccade9 |
| SHA1 | 9ae9ff6584ceb8ac9725faffb4dbe112fae6986a |
| SHA256 | 857b598db1979a1da31b0217713ff4544cb4d0aed4fb3aa962974d47fa370bac |
| SHA512 | 7bf9fe90f9783946ac7a53bf9d176c37ac82867a6e0f4a49034002201cdf70af020b2f8c345565749ad0075589ec1e5e3cc5a41f0bfde26b09e3190f23e9711e |
memory/3908-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4932-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3908-20-0x0000000000400000-0x000000000043E000-memory.dmp