Analysis Overview
SHA256
27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91
Threat Level: Known bad
The file 27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 20:25
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 20:25
Reported
2024-08-16 20:28
Platform
win7-20240704-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe
"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2724-1-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d57ae7dbb5a48670725cfa265ef81a78 |
| SHA1 | b8eb6a33c6e5783b96d3ca0c3aea252cc156d636 |
| SHA256 | 4ef7b11020f5aae04ba77026cc4450d638a9b55832b7d32c5528e683830dead3 |
| SHA512 | 55744eee247ce8b755f4c88c1465d2566644e0d5291b4763aee7385a692a67d0a29319613579870d12ed78589c798dab8b9ff26dfda02c954c7c6a326e9c9530 |
memory/2776-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2724-9-0x0000000000230000-0x000000000026E000-memory.dmp
memory/2724-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2776-13-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | c2d44123e5a850473345783f9c5333f2 |
| SHA1 | 7e37b6fcf26cd4ad4e29196c71c308ad96c2701f |
| SHA256 | 8f5520fa8234de3c851f7ddbf319313864bd8bb9d48687a456b9f55594014df8 |
| SHA512 | 5a865020c521467c6488d2bebcb3edb60c2165150663169229a70f76941be12e497a0df3ba652077b80a69899846726443b3f29030ef517df769c42b8d660f4f |
memory/2776-25-0x0000000000440000-0x000000000047E000-memory.dmp
memory/2776-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2888-36-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d115c92484dcf2607d9f55150c808b58 |
| SHA1 | 62b1e3fac2de2629133e70a958ff22d2305d2dd5 |
| SHA256 | 01ef9d4ed50d7b436f3717a1504f0061c061c340b1f2c5dbd089ead781476f40 |
| SHA512 | 37b8cce138b1ff7f6671c2ea9514b7e81f848331b7373257aa95e49e64bca189b09fdcf3ddfe230a66ee16a9876da379cd1e5dd4d844391cef5ad38d789b4b77 |
memory/2344-34-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2776-38-0x0000000000440000-0x000000000047E000-memory.dmp
memory/2888-39-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 20:25
Reported
2024-08-16 20:28
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe
"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/4484-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4540-4-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d57ae7dbb5a48670725cfa265ef81a78 |
| SHA1 | b8eb6a33c6e5783b96d3ca0c3aea252cc156d636 |
| SHA256 | 4ef7b11020f5aae04ba77026cc4450d638a9b55832b7d32c5528e683830dead3 |
| SHA512 | 55744eee247ce8b755f4c88c1465d2566644e0d5291b4763aee7385a692a67d0a29319613579870d12ed78589c798dab8b9ff26dfda02c954c7c6a326e9c9530 |
memory/4484-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4540-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 36ba908690814c84fbc9585b039614b7 |
| SHA1 | 7c51deddc486a538eacc83b1561ae20276206e08 |
| SHA256 | 5b6b0162b0a1ca44fe402b32304149bb0666f65e64c90ddfbb5b2cb469ee6d0f |
| SHA512 | 4bef244163f91a67ebbcaba89d8241511a254b0bb9644423de10460f6e444774657a992276af0512eaf5e558a6bd19e22bd64d137842b168a884cc0ce62d762a |
memory/3252-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4540-13-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f46c822678bcd43e2f81c41ec265d922 |
| SHA1 | 8058ed8facc3bd01a894b6ff14f5d7ef95b00c16 |
| SHA256 | a032951810b71554d8742114a756013ac5923c262b61b96b022eb9bc5115a9fa |
| SHA512 | 7c68a9605412c56fc5fe9a9458cb1cf9fcb9a3ca5a7228bc1a7be5fd81da464d1cd167cd0abf5ae2c9761c24c17a7a135ac34829844774cee1fae9c4e64bd91a |
memory/3252-16-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2020-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2020-20-0x0000000000400000-0x000000000043E000-memory.dmp