Analysis Overview
SHA256
f7482e028b5429a0b7e73f250db7e75465d922317bd3e926797b78b9a0eadd65
Threat Level: Known bad
The file 5137682cfd1570081e325a18027f8d40N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 13:10
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 13:10
Reported
2024-08-17 13:12
Platform
win7-20240705-en
Max time kernel
115s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe
"C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2764-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e202a15e25475446a7447f7589108f0e |
| SHA1 | 248db9c894bc58f4ecab67e399e9674339a3ccdf |
| SHA256 | baa00850fed32a3e2a309eea277f4faad7d422736f97c4bfe0ef9e01627d8e70 |
| SHA512 | ac939bf87f4ec53b02483cce3196f4e876425724f74f70dc9d7bc091f06ac00852b34d48eff9782e39855362a5f4df4dcbcc43c8802978f3dae28753bee5b259 |
memory/2764-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2780-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2780-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | cca640be6d4583e9bcd25b957f2858a2 |
| SHA1 | e8f73da54625595e6895d0c79809e00e2d8f4153 |
| SHA256 | 68141e37a2ee2d89c4ba2b6af1e57bd5607ed9006af66d0b20dc9b88c3ef0153 |
| SHA512 | 5093ee77897ef39a7cbcfe5cfd76def9461da79278382411ed0cdf53688debc07bfc849d892b194b70041e332ebb2468af878a9a7b5de4196c1de600fa683f81 |
memory/2780-17-0x0000000000390000-0x00000000003CE000-memory.dmp
memory/2780-25-0x0000000000390000-0x00000000003CE000-memory.dmp
memory/2780-23-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 139f0d41cfe6d0d170792eb81ad3a162 |
| SHA1 | 2de5f144843c2773035075099a0a94ebd21f4a01 |
| SHA256 | a270ca053a5d30d100010b8f541780ab40a6f4f23ecf74cea0fa8fe5801d92a1 |
| SHA512 | c647d41601affe1ab086a5d46867f3f55edd3cc439cc8c14b1e64a25e10cf6337be91a9699d4054f64c4ddc9cc1669d89735897b025dd4290a2b77c2849e8b82 |
memory/1980-29-0x00000000002D0000-0x000000000030E000-memory.dmp
memory/1980-35-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2872-38-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 13:10
Reported
2024-08-17 13:12
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4376 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4376 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4376 wrote to memory of 3244 | N/A | C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3244 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3244 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3244 wrote to memory of 4324 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe
"C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4376-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3244-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4376-6-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e202a15e25475446a7447f7589108f0e |
| SHA1 | 248db9c894bc58f4ecab67e399e9674339a3ccdf |
| SHA256 | baa00850fed32a3e2a309eea277f4faad7d422736f97c4bfe0ef9e01627d8e70 |
| SHA512 | ac939bf87f4ec53b02483cce3196f4e876425724f74f70dc9d7bc091f06ac00852b34d48eff9782e39855362a5f4df4dcbcc43c8802978f3dae28753bee5b259 |
memory/3244-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f042282b0bf92e75e189f35a77b098f9 |
| SHA1 | 8cebeb05d50c2ccdffb9ccb1c739cd747e6fc07a |
| SHA256 | 3add4e26cdca1f24e4899d0a5e12c9939ae92195396efc80562de3df6b81a9a3 |
| SHA512 | af7bf69728ccc4c040d753665d1453a3510605f4004a3e69e5841515fc06ccc8ded6a2f4634326b5c3a641ca2d7a2744745ac0b0b9f453b8edea739cf6eabcd3 |
memory/3244-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4324-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4324-14-0x0000000000400000-0x000000000043E000-memory.dmp