Analysis Overview
SHA256
76036422f9f5b756afea657bf47145b8c9066c9cea2702aad71dea8438427060
Threat Level: Known bad
The file b18e6c53480f6ba4d9b5abf737cf1b80N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 04:42
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 04:42
Reported
2024-08-17 04:44
Platform
win7-20240705-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe
"C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2504-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e1e6e6524ab0872df56a8f554dd93f65 |
| SHA1 | 37c8a81e258b30001cfde773f567d2f97a1da1c3 |
| SHA256 | 34f483c66e6f2f18b32642f5a17689bde221f091ef7e9721cb8114e741fd2544 |
| SHA512 | 3af36f59f4d9299816d35e16039da66e7cbaf0060390b2273f17f263cc19236da6396a2bca343fbda82f9e79502f11dac0bae6f90c202505d7eb4b2c6ce3dcfe |
memory/2524-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2504-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2524-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2524-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2524-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2524-23-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | fd57fca63d7ac28b2f05ece372c0d2ae |
| SHA1 | 95409672d14149ca746bb2d211e315d15f5611e5 |
| SHA256 | 1556c52ab948ddd8a2564db6d52ab198a21c716243a1065b3bc8bbff7e7c8ee6 |
| SHA512 | 815c94871b2a39fc789fe2e5168847711169627dbd92137372921e7265c945053573a85be37399c5cf54307f478783010964bbf962928565ef056f866649517f |
memory/2524-30-0x0000000000380000-0x00000000003AD000-memory.dmp
memory/2524-34-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2668-38-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2524-33-0x0000000000380000-0x00000000003AD000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 684eba0ffb6421fd24e7916d61080b74 |
| SHA1 | 3134d4e6a0960f280fd27c884bb8c4807db7a03f |
| SHA256 | a75080c952e307ea0338c843ae06827638d4afc2df995eaf8501b4e6cd0c0ac8 |
| SHA512 | e61c048b864fbb1c26f0b3336479c0e98be6637425a77b972a16449e22ecc264bd6ac0cd9e95b9212a7a5f190c97966da62aada3ca40fdda40d6561a98d6dc16 |
memory/352-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/352-49-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 04:42
Reported
2024-08-17 04:44
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe
"C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3880,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4820-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e1e6e6524ab0872df56a8f554dd93f65 |
| SHA1 | 37c8a81e258b30001cfde773f567d2f97a1da1c3 |
| SHA256 | 34f483c66e6f2f18b32642f5a17689bde221f091ef7e9721cb8114e741fd2544 |
| SHA512 | 3af36f59f4d9299816d35e16039da66e7cbaf0060390b2273f17f263cc19236da6396a2bca343fbda82f9e79502f11dac0bae6f90c202505d7eb4b2c6ce3dcfe |
memory/4548-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4820-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4548-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4548-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4548-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4548-14-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4ca9edbbcf5ac6b108e60ec59a27dd22 |
| SHA1 | 02fcde65c1bc286ee24cc7d0dccb8fb053f1e19f |
| SHA256 | b410f257261279811bd7173bcd381616497c233d41760f2fe0dd247d7ba9fd05 |
| SHA512 | 5cb979c54b9897b30818c92c0da850226d2b268a703dbb72175a90f3ac3ddb222b8c0a8f901f18144cc0d23aede5a54d0068f20c94a002f0b61ec314a06b7c29 |
memory/3920-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4548-20-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c6c7f659e6f44058728325249cd13f40 |
| SHA1 | 015fc0bd311c1df4209ed68e4ecca8e30f8e9d64 |
| SHA256 | 36ffdb3af2b2c89925b5d8f5da4e1d5d5ba9f01b20c37e32db41d3ecbcca6730 |
| SHA512 | b858fce1f76a98612240ae9d3938c71d560a366a6cc8030b5357e212b43e8c116cc8ae570587b7587acfb7df8ba4193ca9ec57ab0036e20de974901bc9919674 |
memory/3868-27-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3920-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3868-29-0x0000000000400000-0x000000000042D000-memory.dmp