Analysis Overview
SHA256
0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28
Threat Level: Known bad
The file 0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 18:49
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 18:49
Reported
2024-08-17 18:51
Platform
win7-20240708-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe
"C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1820-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 822a37c441eb37ecd343c04b2d50c87a |
| SHA1 | b96e7609bca07d9287d7f5e046e41f7ed08d75a8 |
| SHA256 | a4bf3e5b80940bb8a1ebc16df082d8c369c3799e4f82cd228720ecb0467ed999 |
| SHA512 | 1c14e4a26df8aba63c10aa646808485ae1aebca0fb5b06fabdab1a1689606e83898c318144cdd7119e76483272ed5f56a61b6229b3baeea43a66623672617c0b |
memory/1820-4-0x00000000001B0000-0x00000000001EE000-memory.dmp
memory/292-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1820-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/292-13-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 3d5ebbee77efef0016b959306fcef982 |
| SHA1 | 8334c011060225e54b2815e781a148da6d8718e1 |
| SHA256 | 155d7c799203afb497ca0bdf1fe2b323311eb64b88add2484f9db4b13fe34834 |
| SHA512 | 15a2f105aab463d47ea8bba3a39ff8e3cc21173486136c5f61a4ef8ab60828fdc615d7eb7c9aa7e3dade1931edde2f866f0c746361068c9e4c8ab9b1a1c785c6 |
memory/292-26-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1992-27-0x0000000000400000-0x000000000043E000-memory.dmp
memory/292-24-0x0000000000440000-0x000000000047E000-memory.dmp
memory/292-19-0x0000000000440000-0x000000000047E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 51d9fa553aa3e1bc9f163c029e1873d3 |
| SHA1 | 05bd6c11135233c642f96647b6e322d4531d0f53 |
| SHA256 | f79ca6ee55f5c040af45046c948f628852f0c11b61e5546d0747e25b0d5a905c |
| SHA512 | 15ab87be48164f840b5cfa1ae8822543d3d6f5f7be666370c5bc33bbb151240c5ad1dc3eb7923a6c4c55043ad394c3048bfc1b575f7f719b33fb6b4a84ec5209 |
memory/1848-38-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1992-36-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1848-40-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 18:49
Reported
2024-08-17 18:51
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe
"C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/3112-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 822a37c441eb37ecd343c04b2d50c87a |
| SHA1 | b96e7609bca07d9287d7f5e046e41f7ed08d75a8 |
| SHA256 | a4bf3e5b80940bb8a1ebc16df082d8c369c3799e4f82cd228720ecb0467ed999 |
| SHA512 | 1c14e4a26df8aba63c10aa646808485ae1aebca0fb5b06fabdab1a1689606e83898c318144cdd7119e76483272ed5f56a61b6229b3baeea43a66623672617c0b |
memory/64-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3112-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/64-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d97c6c5e159aaff40f35db64ed120c22 |
| SHA1 | 23a2d11cf38b791b48215ed14b1031394a1e8209 |
| SHA256 | c22575c69de5e1a0fbb46d6c007626d75dcc211ca37e995274c6234d7b77bc85 |
| SHA512 | 25c2c2c3e0c7830e296f0e628a1bb57deb5687e4bcdeef633256a1593a5bd7e3ecbf3bdef08023de916f3a0da5f3d0d9c41fd0901e6a86ab9dda163cb4c3074d |
memory/1592-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/64-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1592-16-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3300-18-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cf88b982b0a7808dc82d5b4d55b69dad |
| SHA1 | b877f42a475ef49f2f5eac87aabc83b8d5f56968 |
| SHA256 | a8dbd29928a6ee9f514fe5814518a7f7cddd17585fc04fee7026f12193393aa5 |
| SHA512 | ab848bb2a8127c4a12d49a30c703c4cb776474c7cc39b09e7a7b2412d6a40a226d2c4c6348177f1c3edb4033af2dc852838b01e7fa3ffe0c2ae548ed63a63aa6 |
memory/3300-20-0x0000000000400000-0x000000000043E000-memory.dmp