Analysis Overview
SHA256
13b9657cfdcc915ef7625b1e06ec511a2b6d5e5d5acd70e66b1b24fa55c8ff64
Threat Level: Known bad
The file ea17bb1f3f9bac43c64d115bcf0bf690N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 18:58
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 18:58
Reported
2024-08-16 19:00
Platform
win7-20240704-en
Max time kernel
115s
Max time network
123s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe
"C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0ccdf9a9fde38b520e85afb58b9abd33 |
| SHA1 | cb529f30f43828ef613c3fe96d1c022d1fbd54c9 |
| SHA256 | c12b3b05e7a445d147adf85b72dedbce794d8ca068cc8e85ecc39faa4a232de7 |
| SHA512 | b44352a9580b3cdc07a307f83175b72a199ee61347435f1d04042fec846a3b614f8f8625a45352efa5a3ae423f3f4adcd2fc5df49ac97e30b806c3ba5765f0dc |
\Windows\SysWOW64\omsecor.exe
| MD5 | e306cc64810b2801785fc89288354c7e |
| SHA1 | af7a8e11d32b678590be1581e9bd58d0457de5fa |
| SHA256 | 794c9762746272a26124efa609cf8867679340d904d6ef9d8a25f7ad7869a077 |
| SHA512 | af9246752ca4eaf8de317dd18ddf603a667e2a57b553b840fb5864a94bcac55b4eca9213d97ce3aae60560f46e45d52753afaad972abd968df7f29473ef6775d |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1a3e5f41d28dd28cc513828105aa145a |
| SHA1 | d1d56f932c43ec83f64cb1ea49a5607839e291ea |
| SHA256 | bd58fb5435c46e5867b0ae1935bb0e1388b759d6ce76c4d1ddb13892d1e2bed8 |
| SHA512 | 619975e508120112f0a946cf34247c227991443849396ecb67d254b95eb55137de2a6d99c33f88b092fee7b640a5fbe158d6d4f282e959342c4ba30ab7377777 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 18:58
Reported
2024-08-16 19:00
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe
"C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0ccdf9a9fde38b520e85afb58b9abd33 |
| SHA1 | cb529f30f43828ef613c3fe96d1c022d1fbd54c9 |
| SHA256 | c12b3b05e7a445d147adf85b72dedbce794d8ca068cc8e85ecc39faa4a232de7 |
| SHA512 | b44352a9580b3cdc07a307f83175b72a199ee61347435f1d04042fec846a3b614f8f8625a45352efa5a3ae423f3f4adcd2fc5df49ac97e30b806c3ba5765f0dc |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 579d9e3e25c7398ec26f70a7245bb85f |
| SHA1 | d46abea89e988bee7985b8869885a8294dfcf677 |
| SHA256 | 6093f8a6a56cb6b3f4583bfe7e7493dacd60ef448326255d42431fba1c10f5ea |
| SHA512 | b7ae4232e2648e60dd624e5116b373c1a47e63cbef787c0d857d361313c7e6e3a7a335a2059a827df03db5b5c3a3cfc73d878cce6874bff7a143321863b5cd14 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 71176f26e28a6541c75a38469028e4d1 |
| SHA1 | d157fb39afbeb9ba659a02192cc76436bc813e0d |
| SHA256 | ec215fad15937415a87cadf5323b136410bfa728a82b1579f3dc91380487cbdc |
| SHA512 | de97ad51036479d9cb6591daf86f9f909e43d6f610ad5c8479ef8e8158cecf36f319d3f3108408cb337cba2b26f88b5bfe4ca49eb4ae9b27cfa267a432ff7034 |