Analysis Overview
SHA256
1a0d17f5c56f15fd79ce82e307cdea1a67eed9ade0eb32e2b632ae107bd9f6ae
Threat Level: Known bad
The file f3327a85844a5806782da40c4df8b2c0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 05:31
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 05:31
Reported
2024-08-18 05:33
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe
"C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6c0fb199987274ba7577edf451f4b47a |
| SHA1 | 5d57527ae68656561393f0cf9c184a171bf1844e |
| SHA256 | da5a3e2ddf7e0d03c26cc64c80c224b35a987d7f46397cde2faac87d3363763b |
| SHA512 | bf1031fd3961948231c8007f274885b21f85a9f1050bfe9976b7737e2d90b8ed142a69ce3b5e4e56370cf61f8323426ee0cb44732d3ffd3995f2d995d648de76 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 9ad02e8fbb4238dd6c1f8aae6801866b |
| SHA1 | 02fb202c955a7701391d602997b2f3833620d13f |
| SHA256 | f5e2ce6eb2bad4048d449b122857467ccbda902d8284a34d0fe9c604a62a1488 |
| SHA512 | b8b3eda5f15a277856e02c861448c9f4df66da2c0b8a9b71bcbc5aa23f9994af5559043ad4b77e5db79a9506a9f93082b87852ee82ff7ce6634e6bd8facf10f9 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ff67668256addb3655ac53d4fbb043dd |
| SHA1 | 07268ac2d97829d1020d7d7254a5f488c66432f8 |
| SHA256 | 1e0e7797f3264eea7174265833a51037be04e03154d68f93986cb37ef7617f1e |
| SHA512 | b2bc4718a28e52c7c05a5d55c0686c20de3aa739068c4fc56e7a6519f361c6a19a28c81fcade9bbd56d8c506d2fbdc698a6c0b49210d6641bbf1ffd251541596 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 05:31
Reported
2024-08-18 05:33
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
122s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2608 wrote to memory of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2608 wrote to memory of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2608 wrote to memory of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4864 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4864 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4864 wrote to memory of 4388 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe
"C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6c0fb199987274ba7577edf451f4b47a |
| SHA1 | 5d57527ae68656561393f0cf9c184a171bf1844e |
| SHA256 | da5a3e2ddf7e0d03c26cc64c80c224b35a987d7f46397cde2faac87d3363763b |
| SHA512 | bf1031fd3961948231c8007f274885b21f85a9f1050bfe9976b7737e2d90b8ed142a69ce3b5e4e56370cf61f8323426ee0cb44732d3ffd3995f2d995d648de76 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 037f69957cf604c2c4f590926c662b1b |
| SHA1 | 4d7b860ed307ffb07aafbfcea0ce803282f9f6c9 |
| SHA256 | d839ca1633d3ae95b4b022f8407b6dac6eef825df76a8f53a4443848d99a6649 |
| SHA512 | 2f9acfb87c9f2cb4508c8bd808203ba683f7ece3cc0ad1d03c9230b9c37c955a15455d914718288d0aba6e2c909f27e2b98cdd682ad046f138f0b944ab64988d |