Analysis Overview
SHA256
b52bb4ee064ab8113feed2474060b6a6af169a80cd7f318d0e36d822ce9a19b4
Threat Level: Known bad
The file a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 04:43
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 04:43
Reported
2024-08-17 04:46
Platform
win7-20240704-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe
"C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2704-1-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b8687d7c0e82a564f1bd02cd3b3c1445 |
| SHA1 | 9b7d6ffc5d674ab9b7a11ea69e7dd1df44f787f3 |
| SHA256 | 6417cbc82d970424eea8b85c0edacc750f07fddc69ab478425418ddd52711c51 |
| SHA512 | 9116202eb4de4aa013f5fef567d6df97a610f1d3a6c06cd317f641522ba2d7a91425257f902a892731b3d2829df8a8d4c0af311839cbb863f5e018836864454d |
memory/2780-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2704-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2780-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | f43b4c857403d2fc5c4948fa6905d751 |
| SHA1 | 39b5a331e848100b70e861590119c5ec4c33f568 |
| SHA256 | 3a55976b1a21102c3872fea5cd017cc4f5d274dbbf59e4b59858916699d7c15c |
| SHA512 | b9c42505fbbb1b6d55a37118e8b24ecc8be6dc705507b1af00d03403978c8ccb3a048f88f509caf705bf2198b8c2322e4ab9085261b4dc1aa509d29a9fbf848c |
memory/2780-17-0x0000000000330000-0x000000000036E000-memory.dmp
memory/2780-23-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1244-29-0x0000000000220000-0x000000000025E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 99473d0f396a7891c3a19db9c1fff76c |
| SHA1 | 678a2d6779eb05d5709fe9c1724699acca05704b |
| SHA256 | 03090b2b333b7b03ed139e931f11a58cba92f7b74c8304192ee775f87b8804c2 |
| SHA512 | a727387465f27dd78fe8d91792489fc26122954ae36d0d1a308dbed7de0f9714c39e7a47e0ea3e9e1792e93b7216cbfd827edc770fc1fc53e3dbaa3fc854e335 |
memory/1244-34-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2780-37-0x0000000000330000-0x000000000036E000-memory.dmp
memory/1544-38-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 04:43
Reported
2024-08-17 04:46
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe
"C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1624-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b8687d7c0e82a564f1bd02cd3b3c1445 |
| SHA1 | 9b7d6ffc5d674ab9b7a11ea69e7dd1df44f787f3 |
| SHA256 | 6417cbc82d970424eea8b85c0edacc750f07fddc69ab478425418ddd52711c51 |
| SHA512 | 9116202eb4de4aa013f5fef567d6df97a610f1d3a6c06cd317f641522ba2d7a91425257f902a892731b3d2829df8a8d4c0af311839cbb863f5e018836864454d |
memory/2076-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1624-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2076-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 8d623de1cb8f6175947dfe02cf64be20 |
| SHA1 | c509821b167517f09bfd553967fc8d5ad926163e |
| SHA256 | 79da132d07b8ffaaa3647f6cee7b9e4d5827edf1fa265ab7540b3693661a0515 |
| SHA512 | 8f81d3aacaabf67c46ce89716f0f004a9bb5aed78d5f79fc85a2fab2e61db1be1bce4b2db5393f672369bea00d460d0637b9886c4de69c7247ebd95cc286d765 |
memory/5092-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2076-13-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e269ad8f57efcd7b0e50e2bc7f1fff0d |
| SHA1 | 6902c1fa01420ab29b55ed5235a1452cff7415e9 |
| SHA256 | 05cfc5e785ef8483338b24a4887479ab156f4d6d81e0ee20c39b38774e36aeb3 |
| SHA512 | f0bab4217be8f56f025d892244ce967dea757c6669b7bba72e218a02ec582d643706b2ae7b3334a58337fcbce1c9017189573252001c1434a6741c147d4daed9 |
memory/5064-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5092-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5064-20-0x0000000000400000-0x000000000043E000-memory.dmp