Analysis Overview
SHA256
442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b
Threat Level: Known bad
The file 442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 21:28
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 21:28
Reported
2024-08-17 21:30
Platform
win7-20240704-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe
"C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2740-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3a34abdd8486611c2b5b75e731659218 |
| SHA1 | 17646419164b1b0a0c84b53dca714ea75be3b546 |
| SHA256 | 78c50b771ab47e8cda508ba9615b8ba500df4663184310c2ded091130d9845aa |
| SHA512 | a405c4cbab505865f337110858ce4f07cbfca16de648b580612ea273efea3b6949c36463ebde0d2efea6239a42e9964db88fc9ef93b097dcda20788a67b5ffd0 |
memory/2740-8-0x00000000001B0000-0x00000000001EE000-memory.dmp
memory/2740-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2800-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2800-13-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | b691b67d9835f523cfd3b73d37593db6 |
| SHA1 | 48e0196a3793df788585b6aff42149d7a2a18849 |
| SHA256 | 34e2326f3f3a31a7e0d090fcae70d5a7fa8fd2f3a0d2768f683246cbd2f6f8fe |
| SHA512 | 9dbc30666699cd749e944c130ca251791d5e363f16615046ab28985de6e7aa1b81dc5a3f785429d1111861ab4d09bf131f7b756b425541b68596d2943b292acc |
memory/2572-27-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2800-25-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2800-24-0x00000000002D0000-0x000000000030E000-memory.dmp
memory/2800-23-0x00000000002D0000-0x000000000030E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8dd2141e4c80a53df3d82e251feeec3c |
| SHA1 | f744df890da169a786e6d60308844af08eb14039 |
| SHA256 | a2de9c3a941298c95a71cd3a2c507f04d0d7aa0d77847c28442cf7e5af89a4d9 |
| SHA512 | 56ed581e0fa817ada44b8e3eb1a7aad67d6ed2318a236877db26e3d2427e8382262fbd26cd722793e6e7536d10c4c74cb0d74a024a3ffd392a19501d22ff9533 |
memory/2572-32-0x00000000003C0000-0x00000000003FE000-memory.dmp
memory/2572-37-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2988-40-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 21:28
Reported
2024-08-17 21:30
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1316 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1316 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1316 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 952 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 952 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 952 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe
"C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1316-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3a34abdd8486611c2b5b75e731659218 |
| SHA1 | 17646419164b1b0a0c84b53dca714ea75be3b546 |
| SHA256 | 78c50b771ab47e8cda508ba9615b8ba500df4663184310c2ded091130d9845aa |
| SHA512 | a405c4cbab505865f337110858ce4f07cbfca16de648b580612ea273efea3b6949c36463ebde0d2efea6239a42e9964db88fc9ef93b097dcda20788a67b5ffd0 |
memory/1316-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/952-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/952-7-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3464-12-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 3c4ca7960d722b4066e1975dea332d4c |
| SHA1 | f6f69450769621352e16a9335eff97bbb9f7dbe5 |
| SHA256 | 3817d16cab40f69efd3f64bc44b6afc2433aed2586b83f548418590ef5235fd3 |
| SHA512 | 307437b943fe8d0eac3233185fb21608ed1be1c616517062565461d0c4c29f233d792b8d12dd03f5d8a178eae9d5ed4588beb85efd9a962a8851aad9a08e5591 |
memory/952-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3464-14-0x0000000000400000-0x000000000043E000-memory.dmp