Analysis Overview
SHA256
5bb4add990d71544b729b2b753ca8d9af76c289922a97757d9bcd65002493477
Threat Level: Known bad
The file f079bd3d5d9aa88a9fac30c67936aac0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 11:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 11:39
Reported
2024-08-17 11:41
Platform
win7-20240705-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2632 set thread context of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe |
| PID 2928 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2204 set thread context of 2220 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1064 set thread context of 2224 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe
"C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe"
C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe
C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2632-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2784-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2784-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2784-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-6-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2784-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2784-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | df05f95e29ca7e5c3fdb4ec4450eea17 |
| SHA1 | 009c38a44d28008450715f4dd218df8adc01cb88 |
| SHA256 | df0210205dc6ecf9b37e24989a904332abb864cac8ab7869e3111711b593de83 |
| SHA512 | 4496f583a0e69f244acd8803b12312b0b0cd49298c41c1895b3c77a1784a5f08ecc6e4a0854d49b439994c0770a573e7ebabda73d7f5db09947f3b325434a2ff |
memory/2928-28-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2928-20-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2632-32-0x00000000005C0000-0x00000000005E4000-memory.dmp
memory/2528-33-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2528-34-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2528-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2528-42-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 11325edb65aaf522ad3ae20474275e51 |
| SHA1 | bb67eb35478772abf2007dff0c434047eb9f171d |
| SHA256 | 8d66ea674b03e490c48820d1555a03f64d7dcf5e8c443f14e3b5ac4cf32106a8 |
| SHA512 | bc2dfaa0e60d93ab21382e19e8033b1694e9fbb1740a83d563a43c36ef1abf8298b9017bc6ccc4ec0811cf9322cd7fff875e9be7be520afe7c8028308b224d3c |
memory/2528-45-0x0000000000310000-0x0000000000334000-memory.dmp
memory/2528-54-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2204-55-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2204-63-0x0000000000400000-0x0000000000424000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e3b0df5eb0ae416cf42bc9eadbd270e2 |
| SHA1 | 6c4e15ed3171f5e9775c4cc2610ca9da7dddaf4c |
| SHA256 | 7a16763485b998a1734c386a892aea39b44ddfa220dc7657bbe076dba930e9af |
| SHA512 | 709f5074a8873bded95d43387aa96ebb6b3b5b2a900d444801772bab89229f5d89ad4de5d630712e1535bf3aad8b2777160438b2fe08265f924e4734050f1212 |
memory/2220-69-0x0000000000230000-0x0000000000254000-memory.dmp
memory/1064-83-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1064-77-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2224-86-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 11:39
Reported
2024-08-17 11:41
Platform
win10v2004-20240802-en
Max time kernel
113s
Max time network
126s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2964 set thread context of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe |
| PID 4952 set thread context of 1976 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3264 set thread context of 3708 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2532 set thread context of 4340 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe
"C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe"
C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe
C:\Users\Admin\AppData\Local\Temp\f079bd3d5d9aa88a9fac30c67936aac0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4952 -ip 4952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 296
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3264 -ip 3264
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2532 -ip 2532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2964-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4380-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4380-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4380-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4952-7-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | df05f95e29ca7e5c3fdb4ec4450eea17 |
| SHA1 | 009c38a44d28008450715f4dd218df8adc01cb88 |
| SHA256 | df0210205dc6ecf9b37e24989a904332abb864cac8ab7869e3111711b593de83 |
| SHA512 | 4496f583a0e69f244acd8803b12312b0b0cd49298c41c1895b3c77a1784a5f08ecc6e4a0854d49b439994c0770a573e7ebabda73d7f5db09947f3b325434a2ff |
memory/4380-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1976-16-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1976-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4952-17-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2964-18-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1976-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1976-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1976-26-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1976-27-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 8fc5532658703dd5cb747275a3d511eb |
| SHA1 | 92e97d75a81a19d809e1dd85e4be5b765f937355 |
| SHA256 | 52149f3c9515f7ffbfe6232fa323190e25dd6903580a44024d2ff35b94cd124b |
| SHA512 | 6dafe41e82beab067845e00ac4a6257c5e5473ff613db3fa7ca65cbc199f7c95ef94729b59cb8dbe4764817ca2f4ef334bb65cce30132e4b5507659cf50a3847 |
memory/1976-33-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3264-34-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3708-42-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3708-40-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3708-39-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ad2e6b8d8d068b319d7cb6618a4ce7f6 |
| SHA1 | 034f5e36bc17580cf55947c1aa65bee9868eaf46 |
| SHA256 | 70d5ef26fdc228eb30940a4f6cac8fd3e43c4b3950872ba31aac2cd6234d45e0 |
| SHA512 | 0dd8948a4a41dff158a415074ffbb3bd49b228c3f85fa9dfcccd653fef03c1f32ea291fd6c9776eda3d6b78b1e74d5b7f92081b9b359ff53f38a66cb4e5951c3 |
memory/2532-47-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4340-51-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4340-52-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3264-53-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4340-54-0x0000000000400000-0x0000000000429000-memory.dmp