Analysis Overview
SHA256
4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12
Threat Level: Known bad
The file 4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 21:55
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 21:55
Reported
2024-08-17 21:57
Platform
win7-20240708-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe
"C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2308-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5246311195eaa78de8b60ffec74d4099 |
| SHA1 | 535ff70d664c6da43e8969c2dc8fbeecebb01a8a |
| SHA256 | a5fdef73816f85147e001ef83098a90ab772d19b8039ce5ad4db7222b059937d |
| SHA512 | 21250c466d355990352475c2ede703c8abec65b5bd4e30792307c503b13bb65a5ea61d1d1cd762f9f8582940af4884f0db89a436a97a3e1ad52bfee336372d70 |
memory/2308-9-0x0000000000220000-0x000000000025E000-memory.dmp
memory/1064-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2308-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1064-13-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 5305310ee399e78a545eb60f428c3dd6 |
| SHA1 | 510e1151776c24b657739f6eb05d5b90831bcb09 |
| SHA256 | 0ccb53ae680ce8193b0047b0be0af118cc5c93f69dd857453d76b1d041c852c7 |
| SHA512 | c20eb32f5463c73024a3f2d3ec9013f62e3019411cbcb6fe2706b81297224b74bf26450bb6064fa2ccba90415f5198bcd67f48e6f3e2ca93914f12e627e74ca0 |
memory/1064-27-0x0000000000400000-0x000000000043E000-memory.dmp
memory/464-26-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1064-24-0x0000000001F50000-0x0000000001F8E000-memory.dmp
memory/1064-19-0x0000000001F50000-0x0000000001F8E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dfde9195d33a3ede6f3b575bf70a9328 |
| SHA1 | fad0571404eb6085cb46bc865bc70e02f91193ac |
| SHA256 | 67d6e4bf83e9ea6ac9fbd3d5295729841370d7821c0ba4fe6ce21739ee6a183b |
| SHA512 | 00a58495349c82767a9b6096c25d35c8c793aa6f1bc7079cd49e62aa6e05755bb52c15b6c6be57d921a2308f6806ac45df4b0e466b16749b2fdcc48e4b3688af |
memory/464-32-0x0000000001B60000-0x0000000001B9E000-memory.dmp
memory/464-39-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1944-40-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 21:55
Reported
2024-08-17 21:57
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2224 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2224 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2848 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2848 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2848 wrote to memory of 1952 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe
"C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2224-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5246311195eaa78de8b60ffec74d4099 |
| SHA1 | 535ff70d664c6da43e8969c2dc8fbeecebb01a8a |
| SHA256 | a5fdef73816f85147e001ef83098a90ab772d19b8039ce5ad4db7222b059937d |
| SHA512 | 21250c466d355990352475c2ede703c8abec65b5bd4e30792307c503b13bb65a5ea61d1d1cd762f9f8582940af4884f0db89a436a97a3e1ad52bfee336372d70 |
memory/2848-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2224-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2848-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5a1c505f12ae3b6064f5ceee2508d641 |
| SHA1 | 12ec9cf8830fd0ca465f77c8f6e38a41068e0842 |
| SHA256 | 575cdcf80742b143adb2fafdda1b035c5de0185a93fa4fb6d15dabe5ea0d446e |
| SHA512 | f2be9219b6133fa201c163e82062f4bc3bcd0e5ab79eec8162975c4d911c72c9394cddffb9c078e9843283dabcef6a131bc42fb1af80cdeae0dfefc3bf66ac18 |
memory/1952-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2848-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1952-14-0x0000000000400000-0x000000000043E000-memory.dmp