Analysis Overview
SHA256
ec641aca9f93d2df3c8f5595e5f7a9047754f1acfde0c51d446fc8bc56255c0e
Threat Level: Known bad
The file 0a797fda9c5686f35bc55e150c12fd50N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 10:09
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 10:09
Reported
2024-08-17 10:11
Platform
win7-20240704-en
Max time kernel
115s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe
"C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2400-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2400-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2300-11-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ffa946d3f505cc7630b057cebc518b80 |
| SHA1 | 23527f9c6d03122864cea46adde43df16e503bcd |
| SHA256 | 8b688f0d94a43e8115c7e0cee2f0e6b229c760b12b70b91d803599020a8e5504 |
| SHA512 | 877baf971a3a3ee04efae3a8e63cbbf9cf996656d78cc7687ac098bf33be1fa5e5b08351780ec0e20798c49ff7eca78cf947ccc0fb2d79f1d757678979ba63cd |
memory/2300-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 91a4c62e64847fbbe1894e5ee0e8436f |
| SHA1 | 2b7d2839ef90a747b1d0030786bd969708523f35 |
| SHA256 | 542dd86b9128198fcf81a1066aeb9c02d7057e569f28761a88e68c0e30285378 |
| SHA512 | 7721e045afaab17754d278df899f35b7615175a6023d7044b46fd356b6a2c87cd08abc3096a2df5d8ee645b43e58a4a01c115f3ab8b6c0ecfd13326bdb0385e5 |
memory/2300-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/684-26-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2300-23-0x0000000000390000-0x00000000003CE000-memory.dmp
memory/2300-22-0x0000000000390000-0x00000000003CE000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e9ad2b129c9dd2c3bc002526ef3704c1 |
| SHA1 | 4c3270663731d6fd348add9c32ab2d77d1a99cf6 |
| SHA256 | 7049cccfa0be2afd75f67b327c37490b8e2f02056a8a8d51f6e92000f89b1e86 |
| SHA512 | 7ce45ae6a2032137c9fb6e849dc832d7559fc95b49f57abebf0d94c89ddb953cfef82c26ff4383ee1e10457d94dc620156f6091193acde42fe513f6ef783642f |
memory/684-30-0x0000000000220000-0x000000000025E000-memory.dmp
memory/684-37-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3016-39-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 10:09
Reported
2024-08-17 10:11
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2952 wrote to memory of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2952 wrote to memory of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2952 wrote to memory of 904 | N/A | C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 904 wrote to memory of 4892 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 904 wrote to memory of 4892 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 904 wrote to memory of 4892 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe
"C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2952-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ffa946d3f505cc7630b057cebc518b80 |
| SHA1 | 23527f9c6d03122864cea46adde43df16e503bcd |
| SHA256 | 8b688f0d94a43e8115c7e0cee2f0e6b229c760b12b70b91d803599020a8e5504 |
| SHA512 | 877baf971a3a3ee04efae3a8e63cbbf9cf996656d78cc7687ac098bf33be1fa5e5b08351780ec0e20798c49ff7eca78cf947ccc0fb2d79f1d757678979ba63cd |
memory/904-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2952-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/904-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 2b958f0e1177ab6af7901580121b3d8b |
| SHA1 | 9282d1b1506c6f95bd7605fb84c63ec586bf2b2d |
| SHA256 | e380fafa019cccf80e677331439309a1c14b3415e60be78245a5987aef8bc63b |
| SHA512 | e593d253111289389431233d2b11814de7e4ba51128e9666ab7483f28ae1a0febbd78d490f5519bd749f14c662c07dfbb3e3afd1376ec61b3bb28e08d51cd4bc |
memory/4892-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/904-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4892-14-0x0000000000400000-0x000000000043E000-memory.dmp