Analysis Overview
SHA256
27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91
Threat Level: Known bad
The file 27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-16 20:28
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-16 20:28
Reported
2024-08-16 20:31
Platform
win7-20240729-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe
"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2876-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d57ae7dbb5a48670725cfa265ef81a78 |
| SHA1 | b8eb6a33c6e5783b96d3ca0c3aea252cc156d636 |
| SHA256 | 4ef7b11020f5aae04ba77026cc4450d638a9b55832b7d32c5528e683830dead3 |
| SHA512 | 55744eee247ce8b755f4c88c1465d2566644e0d5291b4763aee7385a692a67d0a29319613579870d12ed78589c798dab8b9ff26dfda02c954c7c6a326e9c9530 |
memory/2516-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2876-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2516-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 873f4c90a4c108af497fb8ac96ea56c3 |
| SHA1 | c64cf61142ed0032821dc186e748f38e69b98c73 |
| SHA256 | 8b16684dd296c35565cd8b39ace2cbefd0640e7ff1ee774c3a0c44f1068f4d02 |
| SHA512 | 2c3aa1531b1dc3b3128b27fa032bd987204d6975107ebd309548586dd9585b876288da9759d81a4568f4bab7c6e68c00a4051d358fe93a2881168c831659e123 |
memory/2516-17-0x0000000000320000-0x000000000035E000-memory.dmp
memory/2516-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2516-23-0x0000000000320000-0x000000000035E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5eec3869f5533493e5d42a6d98a2c390 |
| SHA1 | 6940b7ee0097a8e3e31de25e1c2cdbc71e4405ee |
| SHA256 | af0f7c3d0f06be06879dd0f80c6da04d335b278790cddabbce6c85de37972ce0 |
| SHA512 | 868218bc80ab2b4eaae2ed99b301c54215e3ceb9926cb178df00eff50f7561bc976d4f69db300b8bcee19c0bc73e374794cad9245b6f9832628abc0fe84b9075 |
memory/944-29-0x00000000002D0000-0x000000000030E000-memory.dmp
memory/944-36-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2204-38-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-16 20:28
Reported
2024-08-16 20:31
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe
"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1688-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d57ae7dbb5a48670725cfa265ef81a78 |
| SHA1 | b8eb6a33c6e5783b96d3ca0c3aea252cc156d636 |
| SHA256 | 4ef7b11020f5aae04ba77026cc4450d638a9b55832b7d32c5528e683830dead3 |
| SHA512 | 55744eee247ce8b755f4c88c1465d2566644e0d5291b4763aee7385a692a67d0a29319613579870d12ed78589c798dab8b9ff26dfda02c954c7c6a326e9c9530 |
memory/3844-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1688-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3844-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 0420272755ad5561646342fc1fd0b179 |
| SHA1 | ca78b1bf08b66294aebf827e829a8bacb766a8bd |
| SHA256 | a696331af671eeb19ea91ad5c0cad8c5b2e75cc0722c68f31fcbe39d8b6b41ec |
| SHA512 | c5a92cd4eac66f698633f04f93f81492909b5f40eb897c0a88e3e3261632da01d872a51cb866aca1aa41eb63b79a91ea7deba5f4d2de92796f45807966c72389 |
memory/3844-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4424-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4424-16-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 62f95fa69db60d791de050e2049e1f9f |
| SHA1 | 022481edf9a76ab8c07ffaf692642a3e64d21297 |
| SHA256 | c2c192995552bd9f13bee937a8859dd97f232e6fa3d15d53b1a7eb1d4ffe8c47 |
| SHA512 | 835d62bd6b9388ad702f1bea1851326fb4a95d106c493cc461a3af284e20fa0c13af405ad6a063ec4ab19e21713598901066ebe3efbdd9cc4f569d458dad255c |
memory/4384-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4384-20-0x0000000000400000-0x000000000043E000-memory.dmp