Analysis Overview
SHA256
c629fa7a9658ab9455c67008c39d6b9fad0595c9467b488bb10d94d1452a380b
Threat Level: Known bad
The file 4e19bd8056430329ebf28532dd5076c0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Drops file in System32 directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 14:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 14:18
Reported
2024-08-17 14:20
Platform
win7-20240704-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1864 set thread context of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe |
| PID 2316 set thread context of 1736 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1916 set thread context of 2000 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2856 set thread context of 2192 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe
"C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe"
C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe
C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1864-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2276-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2276-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2276-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1864-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2276-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2276-14-0x0000000000230000-0x0000000000253000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ec2895b51cafa9d640f2434ea226c54d |
| SHA1 | f8ee06bc3916d46de61a068565f9d371d3879de0 |
| SHA256 | eb095bd81693eafa2a4252b22c6d002e0a5e30797c35fb5ad4e57f195dfe0650 |
| SHA512 | 89880f54a1f125aa4769307679bdcdc3814074cf8ad0f386eb5c0e948d6b83f358193db8b887a49039f27c0e5699de17fcb7670918e8848d2d3eecca45e03078 |
memory/2276-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2316-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2316-25-0x00000000002D0000-0x00000000002F3000-memory.dmp
memory/2316-33-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1736-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1736-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1736-42-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1736-45-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d426a287d97d70fad8a4e537900820b2 |
| SHA1 | 220399cd960ec99ac8f8582a1c95ab1d94cb242c |
| SHA256 | 598d9fdd3348333dc310643a39270365aa72153aa9ba03543408b4424541e1c6 |
| SHA512 | 53dada565235485a64dc86a1e51170e608d35e327d697d34daffe4ca1304fdb3a75eb729f2f945bb2fa4c9e10e0e48a42ea4c1ac2b31e6c258c1c437880d7c4f |
memory/1736-55-0x0000000000290000-0x00000000002B3000-memory.dmp
memory/1736-54-0x0000000000290000-0x00000000002B3000-memory.dmp
memory/1736-58-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1916-59-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1916-69-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dbdd6930db1ce795eda970a2234fb9bb |
| SHA1 | b437789d8506e484ab427db03f11f81fd865f2e0 |
| SHA256 | fb80fc27ab023fa8a7eb64e73c1352739ccab7be41b4d22159e982c76d274fd7 |
| SHA512 | 5ae218050e4ab8a70a6c7941e112b1ba38330430c95ed54f0be06aaa243beff81b06ab67d52589e9bd8d74bd517c573453bffeb0c9375ff4642ed60bea6a7823 |
memory/2000-74-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2000-81-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2856-83-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2856-91-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2192-93-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 14:18
Reported
2024-08-17 14:20
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2400 set thread context of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe |
| PID 2244 set thread context of 2848 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2836 set thread context of 2396 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1816 set thread context of 4292 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe
"C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe"
C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe
C:\Users\Admin\AppData\Local\Temp\4e19bd8056430329ebf28532dd5076c0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 288
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2244 -ip 2244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 288
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2836 -ip 2836
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1816 -ip 1816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 256
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2400-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2060-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2060-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2060-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2060-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ec2895b51cafa9d640f2434ea226c54d |
| SHA1 | f8ee06bc3916d46de61a068565f9d371d3879de0 |
| SHA256 | eb095bd81693eafa2a4252b22c6d002e0a5e30797c35fb5ad4e57f195dfe0650 |
| SHA512 | 89880f54a1f125aa4769307679bdcdc3814074cf8ad0f386eb5c0e948d6b83f358193db8b887a49039f27c0e5699de17fcb7670918e8848d2d3eecca45e03078 |
memory/2244-8-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2848-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2848-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2400-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2244-19-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2848-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2848-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2848-26-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2848-27-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5f5521d9c9659081fabf5320008072c3 |
| SHA1 | 0bcbfe2e80721b2c3efa0dc29205ad2a6fb41959 |
| SHA256 | 51c098dd67d81be4edf973e6c2fdb5703cb8c78150086648bae693ecbe397c1c |
| SHA512 | 5d115e45583c76adb25c45018c153c6d0be77df9c066744786f89525d8d5de15507b40ef98fbe2db7f3bdd6e77acbc077d6bde416eaa2bf022731a7587498842 |
memory/2848-34-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2836-35-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2396-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2396-41-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2396-38-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c5bd1fe5dd0493c5eb6bd6545b13c631 |
| SHA1 | c1d936ab570a9008273ffad974012a0f54c29713 |
| SHA256 | de475df2c5af148ea3573de2bf9691a356be755351291177094c9469d9c2aa00 |
| SHA512 | a322a45ac2615c981cc6973a15a6cafa86143aa26d4c41c57cebc2f40f2f7c9708b069aeec3215682349916d0144414126d583b6662d12d7882dff8c0bd8432c |
memory/4292-52-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4292-50-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1816-46-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2836-55-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4292-56-0x0000000000400000-0x0000000000429000-memory.dmp