Analysis Overview
SHA256
8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef
Threat Level: Known bad
The file 8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 23:07
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 23:07
Reported
2024-08-18 23:09
Platform
win7-20240704-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe
"C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2120-1-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2120-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7d42898196a1ec95d4d0ee5cf5b4404b |
| SHA1 | c8d54ad4938e4258f2891cc6aca33d0ab4e042a0 |
| SHA256 | 820483cd845697e6950cc73974cc181cdd75ba57b1bfc4fe45ea94b1307fa422 |
| SHA512 | ab3c0616f1d21bba15bfdad90245375a8046093b26a920c9e36f6257dc60d0e8f404b4d0d3ab7f37fc1240cad87bc83de807e45cf510522573c79738d7813893 |
memory/1036-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1036-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 80d58be31b5d0f684b90a0ba16861ad7 |
| SHA1 | a758ee3f1278973da43d5631d9d0d800b1b0269b |
| SHA256 | ae0fe6cf5faf562c2150966ca2419d0e7af3f57240db8d53e478e204c49b1c9e |
| SHA512 | 50cffc1253115ea7b9f703526fd4c21c4cfdf2511859c01817e2ba896c9b24004b687a26762555c9a5cc308041ca1342999e5ade17e9077bfe7d4e8f06fce09b |
memory/1036-17-0x0000000000280000-0x00000000002AA000-memory.dmp
memory/1036-23-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1304-27-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a639974ea04c32e174b32a297197b908 |
| SHA1 | d9248f783e843fd8198651f8728c84be10f984dd |
| SHA256 | 7aa5efad40373524ce281b7f06edc625f978e3280efad571bdc377722d1a488a |
| SHA512 | 01c9281cbafe4b0536225acfb6a3d19e46670189e45cf7d518818ba2d667922eac8225f584066fc781552d6ca7a78fb7233e647733ec44bcbe1aef8e2b7eb126 |
memory/2032-35-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2032-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 23:07
Reported
2024-08-18 23:09
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe
"C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3264,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/3884-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4132-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3884-6-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7d42898196a1ec95d4d0ee5cf5b4404b |
| SHA1 | c8d54ad4938e4258f2891cc6aca33d0ab4e042a0 |
| SHA256 | 820483cd845697e6950cc73974cc181cdd75ba57b1bfc4fe45ea94b1307fa422 |
| SHA512 | ab3c0616f1d21bba15bfdad90245375a8046093b26a920c9e36f6257dc60d0e8f404b4d0d3ab7f37fc1240cad87bc83de807e45cf510522573c79738d7813893 |
memory/4132-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 28c61edab89fa05569a2b18c46373299 |
| SHA1 | 75f02b10a83c52fc14f4567db60a6189e4b01747 |
| SHA256 | 201c83b0abf8edd643f13dc2d7002e363d3c24c267e923a730ca36b06899eccb |
| SHA512 | fcba8e1d239f5eb687f0601e01e86190d7663b94fdb6f900eb60e8d8a9decfc947a2854f02f7a80d4a1fb6eca0b82fe941e0d3260ffe278e047b70d9c1ae0777 |
memory/2972-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4132-13-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ab71a4a98b9644ff6eec661a494600bd |
| SHA1 | b68be8ec60b9e611d89f88ec1bb1f03fea0ec9b7 |
| SHA256 | c9d29e7d341f9b19231cbd9114449fc4c50259c04f4f5c200a1aef641614bdd4 |
| SHA512 | a078dc171f8439b5e6dc49ba7d0033b1b1a86db113ff801aac76a2af1dbc2b27e4f4dda6a0e1135a04b193b33fb1d3c33e62f2352af9941ab286ac2b4537f781 |
memory/2972-17-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4056-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4056-20-0x0000000000400000-0x000000000042A000-memory.dmp