Analysis Overview
SHA256
540065f21daa8861400dfcc1708907f265395d332165d8ceca39baea42600418
Threat Level: Known bad
The file ef136d4fea4454662428a0867eb01120N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 15:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 15:26
Reported
2024-08-17 15:28
Platform
win7-20240704-en
Max time kernel
116s
Max time network
124s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1140 set thread context of 1840 | N/A | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe |
| PID 2180 set thread context of 2940 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2196 set thread context of 2600 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 436 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe
"C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe"
C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe
C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1140-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1840-1-0x0000000000400000-0x0000000000429000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 831ed1d7f4d14ee67899185ed84273dc |
| SHA1 | 068bd9f0f3828011481fe47c56e407dd86a95c9a |
| SHA256 | 21f2a06fb820e15a85d36c3f447e2b8ce59a5580b3aae7fb9ce1da75d2f91e0d |
| SHA512 | c85ccb13814f72ba28a320a0fef0268fb18277a3469636e6d43e2f1f0951ff1274a5b0a304da5343838ad9afedac312207f1063f01d75d62fb16b71082a59578 |
memory/1840-13-0x00000000001C0000-0x00000000001E3000-memory.dmp
memory/1840-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1840-12-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1140-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1840-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1840-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2180-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2180-33-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2940-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2940-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2940-41-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2940-44-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 7d1b4fd6cce47dc88578c9d5d43025fb |
| SHA1 | 5f38b091d33eff18ef1fcb9f3a184cd9d227ac5a |
| SHA256 | 9b596868bd20f8916f8f45e20f6c5a932b844e0543c574886306742f6ca64f0b |
| SHA512 | 29fd3154ffddd504f3ceeace61bd15a856198acbe0d7c0dd07f690ae04551fe68b77514d66cd0c8c3b0713ef08657817a2a831bd8a893f721d7bd8c62116e477 |
memory/2940-47-0x00000000002D0000-0x00000000002F3000-memory.dmp
memory/2940-55-0x00000000002D0000-0x00000000002F3000-memory.dmp
memory/2940-57-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2196-67-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fdedf38ae20cf9b1535fd92a42659170 |
| SHA1 | f1b074da7a578c58e7c82eff7176230639b301e4 |
| SHA256 | c8495651dc38de647cad47067b4a77f5f80b5bc4abffe555aacfaef8c554263c |
| SHA512 | 049a04c93e608c4ffba24f559174e1f2b6d45c70f350a46169d50c3987bde15a1e9f87b387c6d646a2d504b0e297793544d09d79258f99a701043ed93b866217 |
memory/436-79-0x0000000000400000-0x0000000000423000-memory.dmp
memory/436-87-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1784-89-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 15:26
Reported
2024-08-17 15:28
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4480 set thread context of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe |
| PID 1280 set thread context of 5012 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1964 set thread context of 3156 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3932 set thread context of 2516 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe
"C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe"
C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe
C:\Users\Admin\AppData\Local\Temp\ef136d4fea4454662428a0867eb01120N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4480 -ip 4480
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 288
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1280 -ip 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 304
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1964 -ip 1964
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 268
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4480-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3044-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3044-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3044-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3044-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 831ed1d7f4d14ee67899185ed84273dc |
| SHA1 | 068bd9f0f3828011481fe47c56e407dd86a95c9a |
| SHA256 | 21f2a06fb820e15a85d36c3f447e2b8ce59a5580b3aae7fb9ce1da75d2f91e0d |
| SHA512 | c85ccb13814f72ba28a320a0fef0268fb18277a3469636e6d43e2f1f0951ff1274a5b0a304da5343838ad9afedac312207f1063f01d75d62fb16b71082a59578 |
memory/1280-11-0x0000000000400000-0x0000000000423000-memory.dmp
memory/5012-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5012-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4480-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1280-19-0x0000000000400000-0x0000000000423000-memory.dmp
memory/5012-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5012-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5012-26-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5012-27-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5012-31-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1964-33-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 3cd2c91a95d9f88d7254a61f2092d15d |
| SHA1 | 6d818f805903bd9b26d8d5a2fe2145de9304fbdf |
| SHA256 | bc72f43cd276868a76e351cb69aec0b4d51543e560ace2a5bd2ec51edd52cf2b |
| SHA512 | 2d292f9cb4c7125bfed5ebd0fa14e380cf81eada07458d151efd392d83cbbaaaa302ef340b3115487b6a759a7fb13fe743a8c313d85cb97153ed68f2db06c801 |
memory/3156-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3156-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3156-40-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 16cbf294781d5d7b7d4fef7238ecb44a |
| SHA1 | 1a9c28478d0860c7b5730975f98e9ef393ce9844 |
| SHA256 | 8154122245337d69acc7de17152037a18e44b74ad72dedb2e4fed1f812a5aa41 |
| SHA512 | d2778d4adb2b573ae4a5a6b9b9f4bb891b07e3ddb106afbbe286e5d26fb8a9cc1a1c9702b61c9246112d9cd9726c2dd84631ac51c6d9027b62146457baf1d101 |
memory/3932-45-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2516-49-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2516-50-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1964-52-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3932-53-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2516-54-0x0000000000400000-0x0000000000429000-memory.dmp