Analysis Overview
SHA256
8824e5c9aa6d37005f09dab1455e3c05ec690750d0d49a911fee56bceb7fbcbc
Threat Level: Known bad
The file 4cf77acf584456cd3550a67a874ac480N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 08:01
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 08:01
Reported
2024-08-17 08:03
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe
"C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1504-9-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e42f9e1e9ff4b9376f8e885535faeadf |
| SHA1 | c0e508f2bc1f6653bd7e7bbd7b336c9c3bc811b8 |
| SHA256 | 106cfb986f4f128d2111e93a5b036690140db107b7e3628717f545367fd74e07 |
| SHA512 | b564d1e36b5c9f46ca037d5299a8fea155e168d9587344b197ebbd837fd4543fc6fef9819fcf12c022275f126c631df462b9ba3a21e5f1fab7c82df56236612c |
memory/2460-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1504-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2460-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2460-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2460-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2460-23-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 96f5bc3d4ac2a89e92bbed598deef04f |
| SHA1 | a46c68d2d9c43576105c9a0e1d19bd698a1d785c |
| SHA256 | fa584ba5a4dd11068d2c611b175ed3a90c09ed953bd9ad9871764a9a3111ace0 |
| SHA512 | 4075ba7d130e522625315a36965c4847c1b73ff73735fef3d4ae92509993d5ab882b5e0c2aa54a49ece99b130f6907d1e11a4a626dcc2e743a2ea6be7e3d3c9e |
memory/2460-33-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1988-37-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2460-27-0x0000000000280000-0x00000000002AD000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 09046f66ea3cc742375d41254a7c0016 |
| SHA1 | f69eec58e732cf7a573d5188b65548b7de2c7b0a |
| SHA256 | 99d920424e50fdc446e09956bde005ba9dba2e7ffeccadae249c0bc22c249be9 |
| SHA512 | f4941c7cfeb859687f46c579421e9ff14e3c88a5cc5e5da2a88f0d78c85850f29e1be131998088878a510c4a13e421e910ad41f0e0101b6d5beb2a4f6c26a862 |
memory/1988-46-0x00000000002A0000-0x00000000002CD000-memory.dmp
memory/1988-44-0x00000000002A0000-0x00000000002CD000-memory.dmp
memory/2416-49-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 08:01
Reported
2024-08-17 08:03
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4380 wrote to memory of 3964 | N/A | C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4380 wrote to memory of 3964 | N/A | C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4380 wrote to memory of 3964 | N/A | C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3964 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3964 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3964 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe
"C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4380-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e42f9e1e9ff4b9376f8e885535faeadf |
| SHA1 | c0e508f2bc1f6653bd7e7bbd7b336c9c3bc811b8 |
| SHA256 | 106cfb986f4f128d2111e93a5b036690140db107b7e3628717f545367fd74e07 |
| SHA512 | b564d1e36b5c9f46ca037d5299a8fea155e168d9587344b197ebbd837fd4543fc6fef9819fcf12c022275f126c631df462b9ba3a21e5f1fab7c82df56236612c |
memory/4380-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3964-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3964-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3964-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3964-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3964-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7c7f104e56ca4ffe8c28c16d16bb546b |
| SHA1 | 914f7e78bb54dc3d01d4f3b781704ca13c642712 |
| SHA256 | 563ea94babed33717d8e4457be108ef5562ab28d07750c28e60951a02726c8bc |
| SHA512 | f4ea7032db0b3008caf058063f7d7875b43d823baf626d619dbc5bf0340d2759da37a0eef8eb1c81645bd3107f4cf3965b17901370048af7356cce3a7753b167 |
memory/2696-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3964-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2696-22-0x0000000000400000-0x000000000042D000-memory.dmp