Analysis Overview
SHA256
f7b6791603107af9bc76001ecc8113bafe0d8b8454999adf0ba387de79de6f63
Threat Level: Known bad
The file 5b6c7474496516e1b906a62fb42adcb0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 17:06
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 17:06
Reported
2024-08-16 17:08
Platform
win7-20240729-en
Max time kernel
116s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe
"C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2540-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 920bd830dd09045b91b3703bc715037a |
| SHA1 | 7e183e8dec67773df8cf705507cd98760c23f0f8 |
| SHA256 | b66ffc4daff7e74c43eaf56e5c414b205d964f5e190b33a49ba690b379dc7c7b |
| SHA512 | 1522b2ec474099fc796b87b34eb4e2a23956e783cf46044c34b00fafd6bab653776fa024dd2170de6d4f359d73162c3304e4cb68fd9eb8ed852b1d2501a343c0 |
memory/2540-9-0x0000000000220000-0x000000000025E000-memory.dmp
memory/2464-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2540-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2540-8-0x0000000000220000-0x000000000025E000-memory.dmp
memory/2464-14-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 01844ead966ebb2f866d20e27b178e7d |
| SHA1 | dc35ea91324d10405bbc7137183c718114483927 |
| SHA256 | 49fb919d5a80d02a27723ddb1d456417d97e147664306e79fa983d81e3cd3c28 |
| SHA512 | 778e55c6a8e1231c89d54c91e49794a1f0f39c03c620fa4edd021129875dac5d980f2c6ee5cb055bcbf2b342f622cffb3e16988c0cb1a2e9570cc9fa19971462 |
memory/2520-29-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2464-26-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2464-20-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2520-32-0x0000000000220000-0x000000000025E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5c946cbf07840a44958684d52a20b6f2 |
| SHA1 | 274090553d8c12729d9d11745863849bd2ad99ce |
| SHA256 | e43fce1f16ac42448352eae9c6341349e63698b24e3b344dcc31394616fca3bc |
| SHA512 | 4a9ad24d0c7acbe137283f7e82046bfbd42eac9a2885201294992268248e0ac5a641cdded648930a1dfc58da217793171606f94094fd781d33882104393aa499 |
memory/2584-38-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2584-40-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 17:06
Reported
2024-08-16 17:08
Platform
win10v2004-20240802-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1684 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1684 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1684 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2436 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2436 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2436 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe
"C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1684-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 920bd830dd09045b91b3703bc715037a |
| SHA1 | 7e183e8dec67773df8cf705507cd98760c23f0f8 |
| SHA256 | b66ffc4daff7e74c43eaf56e5c414b205d964f5e190b33a49ba690b379dc7c7b |
| SHA512 | 1522b2ec474099fc796b87b34eb4e2a23956e783cf46044c34b00fafd6bab653776fa024dd2170de6d4f359d73162c3304e4cb68fd9eb8ed852b1d2501a343c0 |
memory/2436-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1684-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2436-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a1522cd56d073f343c50ad74e1017639 |
| SHA1 | 4dd455a6c31790e7e4177c96d86a90f2135f5a75 |
| SHA256 | 5c67feae83ebeda61a1153ed0b202651ccba8e60511db68291d757a22689df8c |
| SHA512 | 98195499f4bbf23dd7c482bd7bc3b10a653d0f4f195592ce159f214e03d7c8b76945877f30fe781662f55eab682cec002bfee2fa8edc8687fd5cd4fd0415a8bc |
memory/716-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2436-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/716-14-0x0000000000400000-0x000000000043E000-memory.dmp