Analysis Overview
SHA256
99d32a4585a929a8072a4b0677ad371414c5322cbdd4bb0162b986e61c935c87
Threat Level: Known bad
The file 148d628a2787b67e88dfbcf1d8a3f750N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 10:29
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 10:29
Reported
2024-08-17 10:31
Platform
win7-20240708-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe
"C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 085d3911db95d1ee858b90a8d9057b7e |
| SHA1 | f405ebee5626577bac41cbdc9a62996fff22433b |
| SHA256 | 590cd998102f8d0676d7ceba4cded30a55f351f2c1474919933493daa40a8f74 |
| SHA512 | 76406e6c1e9a97f19516b3e5e82894177ef0fb05c6abc70dcda44f0bdacf45410d793cf85a0da618ff0bd9a088b06195f6e5e6ace08eb87ebe85d448f73f3854 |
memory/1808-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2348-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2348-9-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2348-8-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2348-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1808-14-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 53d9fd1f15ae33abb1ebf99d3219ad0e |
| SHA1 | 5a16256d668aa034efe31f7bd36f2797b8d73414 |
| SHA256 | 4dae55c91c2369da69899d1aede63bcf934ffa37c309ca62c7c238c2656e3f77 |
| SHA512 | d8a971ed5d3b20ada8eeac26d628b699f100ca0a63badace702df8f5099c1163a37af185d1d83379ec0ede5968ea4ace91bd9f6bc12847970bb5aa42aaaf90fc |
memory/644-26-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1808-24-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5fb26513945b35c6ce2d5eebfb927802 |
| SHA1 | a0c1fc9cd2168a99927639d92d346b08fd9c7880 |
| SHA256 | e602e25c73ccf5afd8c9ff40e6a9f858b2765c89d07ad8af29e483ec28523ca3 |
| SHA512 | 60647a9171da93474db7951fae088ddd067416bfdb3973efeeb036012da58a753f8a4965243bc33d9fc0ad168857abc392ddeb2fd77b9eae7840079f349dc4aa |
memory/644-30-0x0000000000220000-0x000000000024B000-memory.dmp
memory/644-36-0x0000000000220000-0x000000000024B000-memory.dmp
memory/1184-40-0x0000000000400000-0x000000000042B000-memory.dmp
memory/644-38-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1184-41-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 10:29
Reported
2024-08-17 10:31
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
124s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe
"C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3652-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 085d3911db95d1ee858b90a8d9057b7e |
| SHA1 | f405ebee5626577bac41cbdc9a62996fff22433b |
| SHA256 | 590cd998102f8d0676d7ceba4cded30a55f351f2c1474919933493daa40a8f74 |
| SHA512 | 76406e6c1e9a97f19516b3e5e82894177ef0fb05c6abc70dcda44f0bdacf45410d793cf85a0da618ff0bd9a088b06195f6e5e6ace08eb87ebe85d448f73f3854 |
memory/4772-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3652-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4772-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 35e7c900608f3bd1262f4ec9ce6d04c6 |
| SHA1 | 4d7d58f8d157e7cd1d6af943bb0cad9037eccf33 |
| SHA256 | d08325128b7af61e3f9278e25881b5ea470536c43af02601c09c347974d387c3 |
| SHA512 | 3971bed96492e3d21c24efd33c87fc736fbc9ef76f71d583b5b93566178f1b6f338638efbc8edfaafb482df99870be2bfb2ac224e589e72868595f726399d058 |
memory/4316-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4772-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | da64ec3464133e57a63734df07fb4630 |
| SHA1 | da9d6c4d46ae2ee835e181df8b515b06e9c47974 |
| SHA256 | bd8bcf3baf88f3ea988525b69472d95843398fd1b3ce5bd607fdc75a32cfa729 |
| SHA512 | b4ede67d487cc0984276b3486c0b68640ead9e210b5cb90d37627d48140d69a8a0b87bfc08392a494bae033946630db9f4533282ff9bc1778dd4ef052d5f5192 |
memory/4316-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2188-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2188-20-0x0000000000400000-0x000000000042B000-memory.dmp