Analysis Overview
SHA256
03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4
Threat Level: Known bad
The file 03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 18:24
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 18:24
Reported
2024-08-17 18:26
Platform
win7-20240705-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe
"C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2460-1-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2460-8-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b2258c10578ac6323d97bfbd4be24fea |
| SHA1 | de9782c5c6a034a939d0de5e6defb008c3866e17 |
| SHA256 | c79b570e6b8da3823ae7b1b168b599e2f085764667fdcab34722dcbd52993a46 |
| SHA512 | 513dfb5418dd56939397e002e95624e756f39de0898c3f17daa727bfc0957aa374d35754d4b4321545029891751e3584f5bc323fe80563181e3bf62928f0f60b |
memory/1648-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1648-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 5f8579811fa7c74286ec69260dd99fb0 |
| SHA1 | f258404902af358bb7c20d66158f4273bccdaa32 |
| SHA256 | cd96ae7b31fc091adaa64b829e11492f04bcbbc5c65b20d46eb0e6d51e5b2e75 |
| SHA512 | 10bfb057bfc03bf3dc749dce6ccbd33e640eb9362c3deb65cfd58585db71b4fa3e7303a4bb45a6a59f7b0913e9ce0b1c3ed461a3c4ec56fa61ffad6cc61bca37 |
memory/1648-17-0x0000000000300000-0x000000000033E000-memory.dmp
memory/1648-24-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f49a126150a363accbeaa3711d0bae33 |
| SHA1 | aac27faa1560ec8fb1c32be3221fd8d34cb1113c |
| SHA256 | 8c7e11850cdc835e144be776310860e53f8dc07dbaf6c71200f19166fb0fbfa5 |
| SHA512 | 83300825cb94397da7b76325365395436201388fdeb05332db188c03cd8639dd32aefbc09d59b1990d86299b76ca61ca9472536893b740ebd393ceaf7fe7ace5 |
memory/1544-29-0x0000000000220000-0x000000000025E000-memory.dmp
memory/2592-37-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1544-35-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2592-38-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 18:24
Reported
2024-08-17 18:26
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe
"C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/684-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/684-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1168-6-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b2258c10578ac6323d97bfbd4be24fea |
| SHA1 | de9782c5c6a034a939d0de5e6defb008c3866e17 |
| SHA256 | c79b570e6b8da3823ae7b1b168b599e2f085764667fdcab34722dcbd52993a46 |
| SHA512 | 513dfb5418dd56939397e002e95624e756f39de0898c3f17daa727bfc0957aa374d35754d4b4321545029891751e3584f5bc323fe80563181e3bf62928f0f60b |
memory/1168-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | dd10deeba5fb45a4d40196bcc761180d |
| SHA1 | 3ea09e6d4bf6e9519f72b5d5623b380eee8ade92 |
| SHA256 | b05cb17a314b36c4223a2c222bb77c1f874ae6e34081e42ea73687928ac7814a |
| SHA512 | 7bf0574b42cb72f2d9a80aba5abb7d27f664de50769765e8fe3ed1c5a4cf3e8c5e0204d1550239de65031c2e58bc9371a4730d57bd673817d0ac9fdc73a2da57 |
memory/1332-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1168-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1332-17-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fb8bc8df844a6246efc3fb5686b03040 |
| SHA1 | 795e1b1a432c14d1b6d4dc40217501fb7df58815 |
| SHA256 | 4b69e2822918f2def453e602845590e9a174b19c985c21736233e3804abbe80a |
| SHA512 | 13460a41a5119d58c693fceb8cde04c23196e376caefcce6ee1cacf7055a10e296dfe24317e20d6ba631f9f1c11641c17b80d3d9d3303726f6cf4c4bc522b26b |
memory/2636-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2636-20-0x0000000000400000-0x000000000043E000-memory.dmp