Analysis Overview
SHA256
13221c391e1e8abb8d39a31c1ecdc3d09f275c84cde02dc8511e0ca599f86e94
Threat Level: Known bad
The file d9bae2c5b0211e4af81d661f5497bb10N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 21:44
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 21:44
Reported
2024-08-18 21:46
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe
"C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 28e15ebe825005fa203f31f0796e4fd3 |
| SHA1 | 4439062f9b11086cf495e71d500984434769fea1 |
| SHA256 | b2d7505c13ffbe51445530ddd84af467a855bb116707ffffb47b453da45db7d0 |
| SHA512 | 3937b4f343f96255b287a3d6d7f70f2013cdba9f57664ed168cfc2e173d663b1640c46974ecaac877cf233849dd6d4cd6b0ec627d26258ba76ba708affa60fac |
memory/2980-4-0x00000000001B0000-0x00000000001DD000-memory.dmp
memory/3024-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2980-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2980-14-0x00000000001B0000-0x00000000001DD000-memory.dmp
memory/3024-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3024-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3024-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3024-24-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | f717fb9336e14dfe3528ba5479f06158 |
| SHA1 | 9bcbbd07929ae8c8237d5a6cdf559f8a3fd543cc |
| SHA256 | 2f4915b55b3dc558faafb01ad1869415b65d91eb42037c6dbe4b01cbb2b2cffe |
| SHA512 | 22f4ff7a737ce22cc2fe3967ce2fc04f21d1169e289394580bea821255deed7be0490217ef190dcba92c5c31687f6c20614962f603fec81b28c985c3fbc838eb |
memory/3024-27-0x0000000000280000-0x00000000002AD000-memory.dmp
memory/3024-35-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c274258de3287c20ac8bd8ed05b473cd |
| SHA1 | bb9fd75fa5a37efe12b4404a3a9794458482fb8f |
| SHA256 | ed651414c4bbc683b48fef0ddf09a8037df2b9728e8f3456b415e22063d1a228 |
| SHA512 | 93b61d5b7f3003d4a8fa0f713430d3f3310650b5370ba622951910629ee57a11e54f91ee6d8acd4e19c8c680b788f0adaa51d37c0670091dd86e7fb4feb4ea9b |
memory/2016-48-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1968-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1968-45-0x00000000002B0000-0x00000000002DD000-memory.dmp
memory/2016-50-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 21:44
Reported
2024-08-18 21:46
Platform
win10v2004-20240802-en
Max time kernel
116s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2104 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2104 wrote to memory of 3620 | N/A | C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3620 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3620 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3620 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe
"C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2104-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 28e15ebe825005fa203f31f0796e4fd3 |
| SHA1 | 4439062f9b11086cf495e71d500984434769fea1 |
| SHA256 | b2d7505c13ffbe51445530ddd84af467a855bb116707ffffb47b453da45db7d0 |
| SHA512 | 3937b4f343f96255b287a3d6d7f70f2013cdba9f57664ed168cfc2e173d663b1640c46974ecaac877cf233849dd6d4cd6b0ec627d26258ba76ba708affa60fac |
memory/3620-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2104-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3620-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3620-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3620-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3620-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d58b7e408931fbaac3331d618336a931 |
| SHA1 | 0b081282afbb774fd9ca9f0b6362dc23ae275b1b |
| SHA256 | 7cbd13ce9246de2b55583f0ad6f06b90153bce7ad19fafa509e85300958efbf6 |
| SHA512 | 7fea48dd1446665123a19145af1e523ebd846e381c20c40b91a02bee041923da2c1b143ab329ec71d2fd2758ddf5ec08669e074a40c7eed88c8b00f8cf4fa79b |
memory/1696-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3620-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1696-23-0x0000000000400000-0x000000000042D000-memory.dmp