Analysis Overview
SHA256
8a95929f6c5466eeb267fe7d5d1eb393cfe383e55eef73a8ad920695a5a7c29f
Threat Level: Known bad
The file ea8b76c118c419c26149792ca6b19490N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 08:48
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 08:48
Reported
2024-08-17 08:50
Platform
win7-20240705-en
Max time kernel
116s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe
"C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2260-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7af01d9c698e7985c1700dd82f184e69 |
| SHA1 | 08074056d94d56a85eded112e54dd71ba960fce7 |
| SHA256 | b8c452e341e9886961879071da662877c2d8e49c719bdd0e3a3aaf1e9f392ec4 |
| SHA512 | 6d5b8e3bd4e2e5dbf57caa8b0fde96bfbc285c5338bb05703202e7e91787ae548e24c250a14e9f729c6249745fe44c10c290b7862137f206b09f43600a8a297e |
memory/2260-4-0x0000000000220000-0x000000000025E000-memory.dmp
memory/2260-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/692-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/692-13-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 65b11e918e005a4207950935d28ebd73 |
| SHA1 | 3b4a476943053b557dbcf4b1d47e8b1c193956cf |
| SHA256 | 72fdc1e617ffa368955540eac79389797cdb27c326196c29fc4aa8e133a7a423 |
| SHA512 | c48e066fdd5a0ec678c206ad86d054fbc64bccaeef30049fb0634d3b1c76b28ff5ef6093470dfa378b30bf6313377a267b3ec58c664943e0f9fddc2f1006d001 |
memory/692-24-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2864-27-0x0000000000400000-0x000000000043E000-memory.dmp
memory/692-26-0x0000000000400000-0x000000000043E000-memory.dmp
memory/692-23-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2864-29-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 08:48
Reported
2024-08-17 08:50
Platform
win10v2004-20240802-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3392 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3392 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3392 wrote to memory of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2140 wrote to memory of 3576 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2140 wrote to memory of 3576 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2140 wrote to memory of 3576 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe
"C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3392-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2140-4-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7af01d9c698e7985c1700dd82f184e69 |
| SHA1 | 08074056d94d56a85eded112e54dd71ba960fce7 |
| SHA256 | b8c452e341e9886961879071da662877c2d8e49c719bdd0e3a3aaf1e9f392ec4 |
| SHA512 | 6d5b8e3bd4e2e5dbf57caa8b0fde96bfbc285c5338bb05703202e7e91787ae548e24c250a14e9f729c6249745fe44c10c290b7862137f206b09f43600a8a297e |
memory/3392-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2140-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 52d93958281ac1bb435e14f0ddc2266f |
| SHA1 | 0a708a31f0e39c2a87bc4c43440344f2182f50a6 |
| SHA256 | 969d9d97da36d30c7f30ca3ae26580decb152ef56c69500b5c8afad111482312 |
| SHA512 | 4753c7790aa8080efe7eb79c8464e767b3d70aa74ae0289a6885b49e9db4ea4303ed4262e7f5b06bb733a60c7f1580f0d16c8242d8197d78271a7ca40cc7b05e |
memory/3576-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2140-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3576-14-0x0000000000400000-0x000000000043E000-memory.dmp