Analysis Overview
SHA256
7c0ad3ed329fc1c621039a39e7fc1b0afc4bed8ce0c4a331f797f91ee37319e5
Threat Level: Known bad
The file 23c02e2bc5d25b24d9f22d75038e95f0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 13:03
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 13:03
Reported
2024-08-17 13:05
Platform
win7-20240704-en
Max time kernel
116s
Max time network
124s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe
"C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1356-1-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a6b7122280eb4c321a9474bce1b009e4 |
| SHA1 | 67b7360f9be698f0e0da20a50a1b59b79ad22a60 |
| SHA256 | e539507df68bc5efc7301b94787e90a74e9d853cf648cd668538ba06c7cd8d9f |
| SHA512 | f87cc49f443d5bbcfb6d139d04601e6da44b78431ba0c0aeb73eab0ef32570862045cf836a44d4b607403fbb984d8d079395bae5b070dbd42ef850c01b73ba09 |
memory/2868-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1356-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2868-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | deeab86ce7850c8d8a4b77b283d99f14 |
| SHA1 | 0b13647045f2f8617d18c9a7c0c03801348133cc |
| SHA256 | 97ee7a5ba5901feab9d3705fdadcf015943dd4b0b22b0fb65918d387e6660778 |
| SHA512 | b3e7e625f9b55fff011401473c5e9da03ad95df9cfa73bd475ba8533b88561cb3487daf0191aaf0531517dc53cda97fa5f81b714881c1fb3347bcfdc17ac25b5 |
memory/2868-17-0x0000000000370000-0x00000000003AE000-memory.dmp
memory/2868-23-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2564-33-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1792-35-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 348a669c984258af732f10dabd235d7d |
| SHA1 | 24d8d481b4a46ab3ed68939eafe83697dcbdd73f |
| SHA256 | d7b0e5176eae183eb383170f1d23c961bbaf0a9128cf0ebad9ab2e4a9300c4d4 |
| SHA512 | 85f57ec4c5f7421d2f9050deec8fe46a5e522377d2b75f09899e404926be1044be1d189c8aafb2eb21245a679e2cb9703a23039091ec544b2b4ec48eca0d224c |
memory/2868-37-0x0000000000370000-0x00000000003AE000-memory.dmp
memory/1792-38-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 13:03
Reported
2024-08-17 13:05
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3716 wrote to memory of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3716 wrote to memory of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3716 wrote to memory of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1216 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1216 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1216 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe
"C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3716-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a6b7122280eb4c321a9474bce1b009e4 |
| SHA1 | 67b7360f9be698f0e0da20a50a1b59b79ad22a60 |
| SHA256 | e539507df68bc5efc7301b94787e90a74e9d853cf648cd668538ba06c7cd8d9f |
| SHA512 | f87cc49f443d5bbcfb6d139d04601e6da44b78431ba0c0aeb73eab0ef32570862045cf836a44d4b607403fbb984d8d079395bae5b070dbd42ef850c01b73ba09 |
memory/1216-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3716-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1216-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | c0f5a9c6dd3da29caee60dbe7728916b |
| SHA1 | 6634a263404c8b2b075e290f3f5ae955ad6dcf34 |
| SHA256 | 6138b2d48e0118583fe90869be2dd8cbda572633a73dfac000137b0711692760 |
| SHA512 | 244145c7987a6a8fb8182d062483960b20005072d9733534c798396eb8ac4b39e0cdda5cf99ac39d3992bea31df9f72bd6c457d871c0013522fbdabce77bae60 |
memory/4584-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1216-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4584-14-0x0000000000400000-0x000000000043E000-memory.dmp