Analysis Overview
SHA256
2eea4efe66ea8a5029633bfc18052a245330c46937cc45c1220276bc1896e8eb
Threat Level: Known bad
The file d3930f930d2878206e180aba0587dba0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 20:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 20:23
Reported
2024-08-16 20:25
Platform
win7-20240705-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2408 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe |
| PID 1268 set thread context of 2932 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3044 set thread context of 1948 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2100 set thread context of 2056 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe
"C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe"
C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe
C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2408-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2600-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2600-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2408-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2600-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2600-14-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2600-13-0x0000000000400000-0x0000000000429000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | edde9eff24e8c8cce5243d7b1c477513 |
| SHA1 | 05c92e94d346fe31efef56dc2d861b7e478f3043 |
| SHA256 | 1167a34795eea8f6f161d37485abedb7f3f08d65da46d37beebaf10fda61e6e2 |
| SHA512 | 9eca9dc77d1f50c264d8a3827f7c32e72868059b21b49a0c022c355ebf72e39b867b0d63935723c98befeae5f484ee54ef46d81d476ff88f35650ea738d43b4c |
memory/1268-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1268-31-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2932-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2932-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2932-41-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2932-44-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 361e797fd5ca0adf9577ffa4288bed91 |
| SHA1 | 40bd0876566f08449ef1b55d1321cdd6630365b2 |
| SHA256 | 526d0213580dfda27256cdca1543a92f1f840ced8578f4c4b035303d73e9029a |
| SHA512 | 57390b95ddd98e23e52dc641664393010e5936f5a05f27b587a0fb528319db1f6395d6bc2c4ac4c0f942750816826c08edab4b33b090c1619e11c48893b43a74 |
memory/2932-47-0x0000000001FA0000-0x0000000001FC3000-memory.dmp
memory/2932-56-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3044-57-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3044-65-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1948-72-0x0000000000240000-0x0000000000263000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dc9c7592bb5053206a600f85457df10c |
| SHA1 | 8ab810ce8c3f4040c3d9a882d4f2f6f18c1f8746 |
| SHA256 | f310651c64f370bc66a9287596e8b421bf15dab2058dc424b8fb243d8a572eff |
| SHA512 | 71032e3e43f9fe1ee3a88c163d0a91613bae2bd40d32847344d70cd1419a3b887a4db78db2e5faf57116b421536f96b14fdbf3cc69b89fa7508eed4b77933279 |
memory/2100-80-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2100-88-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2056-90-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 20:23
Reported
2024-08-16 20:25
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4780 set thread context of 3108 | N/A | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe |
| PID 4316 set thread context of 2672 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5056 set thread context of 4840 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4948 set thread context of 2584 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe
"C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe"
C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe
C:\Users\Admin\AppData\Local\Temp\d3930f930d2878206e180aba0587dba0N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4780 -ip 4780
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 296
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4316 -ip 4316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 284
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5056 -ip 5056
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4948 -ip 4948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 268
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4780-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3108-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3108-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3108-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3108-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | edde9eff24e8c8cce5243d7b1c477513 |
| SHA1 | 05c92e94d346fe31efef56dc2d861b7e478f3043 |
| SHA256 | 1167a34795eea8f6f161d37485abedb7f3f08d65da46d37beebaf10fda61e6e2 |
| SHA512 | 9eca9dc77d1f50c264d8a3827f7c32e72868059b21b49a0c022c355ebf72e39b867b0d63935723c98befeae5f484ee54ef46d81d476ff88f35650ea738d43b4c |
memory/4316-10-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2672-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2672-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4780-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2672-18-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2672-21-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2672-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2672-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5056-30-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ad3a69a3942ff066411ac46ea389f9f5 |
| SHA1 | 465b009f6006f374b1b0646bbabc7e3cebae85ca |
| SHA256 | acb9ed5a3602deb96dd7e48319ea2c4c5d7a38736792b484f6696eb2c41c911e |
| SHA512 | eefead86987ac69b23fafa3a4fe062f42d3d11daf75c0b7263f9ded4646cf35f9874ee099de720cc9373004dd955da00ded6fb75369281aa6d821a0ea9f824e6 |
memory/2672-29-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4840-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4840-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4840-38-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 17f7bb1afdf9e272cd56338ab3ae50ff |
| SHA1 | 2f7da7aa85bfe4af0a8e61490f5584379c3bdd79 |
| SHA256 | 23ac74c39cbfca094d421657c8458306bf63233da7478eede3b0fd05b073f497 |
| SHA512 | 06252cd71ac3e8d2a4a53fcf131d5e2db4f1757235d86f7695565fd41256f40a77ed45611cff7ff9a72717c4568f4dea3e28987c108aa2eef5e1702f9d84d104 |
memory/4948-43-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2584-47-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2584-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5056-50-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2584-52-0x0000000000400000-0x0000000000429000-memory.dmp