Analysis Overview
SHA256
8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548
Threat Level: Known bad
The file 8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 01:51
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 01:51
Reported
2024-08-17 01:53
Platform
win7-20240705-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe
"C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2700-1-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6f8e7c9deadd900e11ca84f973365491 |
| SHA1 | 074fa5bd97fe995305e91946bcd92d4e676c78dc |
| SHA256 | 4d7b794a97e04f7e15b8ce1fb43cfa23b22c1211f18779af075d9de513f18dd0 |
| SHA512 | ea263fe4d6aee3ac9a7eb948a4c2c8618dad795bfd5c426466a49edc84ad4c8aa85de70a534ee07c9f25c5a1ea997991bd56509e8ebd5c018cc195a2533dc517 |
memory/2080-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2700-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2080-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2080-18-0x00000000002F0000-0x000000000032E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 678ec6d31ce74f328aba2c9fa6ee5dee |
| SHA1 | 1777f2fab49d80a381ef637e2db1ff5b77a08c61 |
| SHA256 | 698d4c0db82173c6f8ee46c63fa7d84b49b39cc870ec368cc1428ae8ad2f8cb8 |
| SHA512 | 292ef559b36155ea2caac9cf23269d1e177370369bb2312352baa76e5e0d2480980aae4ffd4ea6f985fda85cee04dcb62de662662d5534e3400a3e1c3d99822e |
memory/2080-23-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3990e0beaf195f66027d63de4a43a194 |
| SHA1 | 71f5d0df7f461d4b51953e3d62ad67c496151033 |
| SHA256 | 0d5e08c2f767c340310484b77a0d40131f05340e6b207d85bc02adeb1b2ea824 |
| SHA512 | 5bf881c7dd90d7c15f6f7a64d40d77313072f6b85be127d671dfe32217dea336c190d5385e7d138b5a36cecb1d8685c2fe1b173ce1126fd0ba3d7358d3d93a13 |
memory/3024-28-0x00000000003A0000-0x00000000003DE000-memory.dmp
memory/3024-34-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1484-37-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 01:51
Reported
2024-08-17 01:53
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2772 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2772 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2772 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1644 wrote to memory of 524 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1644 wrote to memory of 524 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1644 wrote to memory of 524 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe
"C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2772-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6f8e7c9deadd900e11ca84f973365491 |
| SHA1 | 074fa5bd97fe995305e91946bcd92d4e676c78dc |
| SHA256 | 4d7b794a97e04f7e15b8ce1fb43cfa23b22c1211f18779af075d9de513f18dd0 |
| SHA512 | ea263fe4d6aee3ac9a7eb948a4c2c8618dad795bfd5c426466a49edc84ad4c8aa85de70a534ee07c9f25c5a1ea997991bd56509e8ebd5c018cc195a2533dc517 |
memory/2772-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1644-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1644-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b1ef11fed0240b19f8e4070257b7a2c1 |
| SHA1 | 8545155b6617baf989baaf3e378836732a8ac965 |
| SHA256 | 4ee174b8ec0e1b06373090d5d546acf7ce02296994126e03fed499e7f3ce84ae |
| SHA512 | b5ed5a4d23cd693b2929fa0e1def849f6095eed32d931b8d32c09fdba644b734a1662d71af940a0b1193ede7af145ff9538374b665718f9fe422af104c2df159 |
memory/1644-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/524-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/524-14-0x0000000000400000-0x000000000043E000-memory.dmp