Analysis Overview
SHA256
215557fae843b16a6884443a1af7939811fa0481851c8a37078089dc55d3a7d1
Threat Level: Known bad
The file c2788026375bcd144aec3864eb6f6d70N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-17 19:49
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-17 19:49
Reported
2024-08-17 19:51
Platform
win7-20240705-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe
"C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2684-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2684-9-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c092ddcc86cb49f10b7717775be48716 |
| SHA1 | cc8674871215185b8332522c455f1449df946093 |
| SHA256 | 849103898d3341bfbc2b6a90c38ec2eeec004aed195bcb79bb2ca3a928200d55 |
| SHA512 | 16ada6f32c8b8f6ee5792f80446bb23ab955ab1e49caced00984891f7a13b33070136ad547692e8e8e3fbb2d46ad206ecc0afa58e6d8be6ccbf642d2c8f9f25e |
memory/580-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/580-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/580-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/580-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/580-23-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 68afb757a77d751e50b805a42b77ad8c |
| SHA1 | a4a0ebb3901094cc684587755c88b58934ce4966 |
| SHA256 | 78270cfe5645d829a1c31e6c453a0027bd7f51e1d23aaed11a4e8b005ff7dc95 |
| SHA512 | 5b9a8e02a06950a4902919dbb80596435ef38682b8af840376198670abc01f260ef3f518e7e0438bac629cc49de8c10d9bc9915db3211670bfff0928d0b1833e |
memory/580-26-0x0000000000370000-0x000000000039D000-memory.dmp
memory/580-33-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8c87bcc4aa7d09b018e0ecc788e8473d |
| SHA1 | c79b8b9a7995c21923d4e419df15c473d9b20251 |
| SHA256 | 12961e33d5f59ae9135284e7cbbc2b940f36f0d347c370f0ba6cfc605445347e |
| SHA512 | de4ec50c9e0d3f575f0d72d839c264c66837178e05beb1fe4479d51e29d7116e2e1c317f4377635559768ecf7b9bfb7e1ccd689889ed1f29dcbb8f8c72f63d7d |
memory/1452-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1176-44-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1452-48-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-17 19:49
Reported
2024-08-17 19:51
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
126s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3636 wrote to memory of 1808 | N/A | C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3636 wrote to memory of 1808 | N/A | C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3636 wrote to memory of 1808 | N/A | C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1808 wrote to memory of 332 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1808 wrote to memory of 332 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1808 wrote to memory of 332 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe
"C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3636-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c092ddcc86cb49f10b7717775be48716 |
| SHA1 | cc8674871215185b8332522c455f1449df946093 |
| SHA256 | 849103898d3341bfbc2b6a90c38ec2eeec004aed195bcb79bb2ca3a928200d55 |
| SHA512 | 16ada6f32c8b8f6ee5792f80446bb23ab955ab1e49caced00984891f7a13b33070136ad547692e8e8e3fbb2d46ad206ecc0afa58e6d8be6ccbf642d2c8f9f25e |
memory/1808-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3636-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1808-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1808-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1808-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1808-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d54a10588c3408520f80189a651436f5 |
| SHA1 | e0919708db7435e7f53e0ad3c6504859e883fde8 |
| SHA256 | bf4af2909de18347805ef902b2af73970b724a2f0010fd48d088a0b7f72781a3 |
| SHA512 | ca4d9aa528770bac228fc622a941dd39bf222fbef8ad3b111f4b656c30998499264a68b71ab4580c6a32d0f9d9e66a6d0fd811fb8f3b36d3589ad2485ef44091 |
memory/332-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1808-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/332-23-0x0000000000400000-0x000000000042D000-memory.dmp