Analysis Overview
SHA256
61432fd5dd4dc3014ff9b67f3ada5b6e0690430e6943af208677ed5cb03d5f76
Threat Level: Known bad
The file 5d17a345e856fec8a2071e09c389e040N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 00:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 00:35
Reported
2024-08-17 00:37
Platform
win7-20240729-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2660 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe |
| PID 2744 set thread context of 2972 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1952 set thread context of 600 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2436 set thread context of 2364 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
"C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe"
C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2660-0-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 830f191839931124411aa22b7823c429 |
| SHA1 | 13da3726f6579ea892e38978fe0d4f83d414a8b3 |
| SHA256 | 66136da83767cebbbaccdc8e436f3a8e47cbf25b752b7f221a26403cdfcad638 |
| SHA512 | a9821a1a7b8a72eed72605d485149386d6e75b07fe719b190655c6a2dbe117c00fe5850acbdecced620053f349768369a4a9650c3ea0e787ac8d71187467fc8a |
memory/2680-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2680-13-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2680-12-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2680-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2680-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2660-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2680-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2744-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2744-25-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2744-33-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2972-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2972-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2972-42-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2972-45-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | b2fd7143ad061d97455c364d4aae99da |
| SHA1 | 9e924fb17f9e5d36d8c7a24c00b5229a5055bdc2 |
| SHA256 | 94ab35526db24cfca3ad7a82278f14c515753bd1790a5390ed4e8c07e2fc6c6e |
| SHA512 | fe9a74f5642354189aaa69f23b62dea9cd2d8889a5ac0ee2bc3bc3c269dfddc335b42ee506d216fcb4d7be98a25d44f59bbfaf06372e43171f3ccfaff1e6e09e |
memory/2972-48-0x0000000000330000-0x0000000000353000-memory.dmp
memory/2972-56-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1952-66-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 73dabb9ddeabfc23efc5fb84418c7388 |
| SHA1 | 77e24e3b24a0e03ff30414e7900428d8731b17ad |
| SHA256 | b8f9dad1bf1286c057faaad13686aa7c7a14a5beb81572ea06b870f492f85791 |
| SHA512 | 69ea4bad9d176462f5eaea29f5e0564277815cf01f1fc7ab608f77ea806816ab658d0d7caf84aa7dfbbdc0482158f8da69ab01ccdde39a4d6902556a916d1f31 |
memory/600-72-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2436-80-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2436-88-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2364-90-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 00:35
Reported
2024-08-17 00:37
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1688 set thread context of 5048 | N/A | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe |
| PID 640 set thread context of 4272 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2920 set thread context of 2396 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3648 set thread context of 2320 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
"C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe"
C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
C:\Users\Admin\AppData\Local\Temp\5d17a345e856fec8a2071e09c389e040N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1688 -ip 1688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 288
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 640 -ip 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 292
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2920 -ip 2920
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3648 -ip 3648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 268
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1688-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/5048-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5048-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5048-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5048-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 830f191839931124411aa22b7823c429 |
| SHA1 | 13da3726f6579ea892e38978fe0d4f83d414a8b3 |
| SHA256 | 66136da83767cebbbaccdc8e436f3a8e47cbf25b752b7f221a26403cdfcad638 |
| SHA512 | a9821a1a7b8a72eed72605d485149386d6e75b07fe719b190655c6a2dbe117c00fe5850acbdecced620053f349768369a4a9650c3ea0e787ac8d71187467fc8a |
memory/640-8-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4272-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4272-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/640-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1688-18-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4272-19-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4272-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4272-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4272-26-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 87c8c19a7567d640fb3461e8c4ec99aa |
| SHA1 | c50e60559894d0d203a7625b26c821599e2ce1aa |
| SHA256 | 971cfd86e06c91c74c4027038d85cb4bca74ca2d4f611296a36c750e207492b9 |
| SHA512 | 6537e3bfb673e2328965006f8f40c464bfb742cd1a99380d4d7a8e0ca122c0fbecf05a7f0afc7c32bde838f0d4f7955ac98ad4fcc7fa470357b025028a0a1ac9 |
memory/2920-31-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4272-30-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2396-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2396-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2396-36-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 57d651f5a395b37c360e1524f5e615b3 |
| SHA1 | 87d250426fb97d5b0d68f01cb31d26e1dadcd2f0 |
| SHA256 | b9013b619fe0466fba6bc7e13252a609ad8a0a5f4988efdb004eefe347c25370 |
| SHA512 | 422d61d8d2e54e547b3d1e446eee8a10d35c23ac1b1339c934454708a2d1515fc259e81b4856e92bed1678061e6abd1196056cbe93dce9bffe57f0ff09486a13 |
memory/3648-43-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2320-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2320-49-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2920-51-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2320-52-0x0000000000400000-0x0000000000429000-memory.dmp