Analysis Overview
SHA256
0499beff84adc41da5dd97694023640d8fe1206730d8100ab5603b282af9e794
Threat Level: Known bad
The file 5b002622f8369ec9e804b185e9376fc0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 05:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 05:58
Reported
2024-08-18 06:00
Platform
win7-20240704-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2740 set thread context of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe |
| PID 2708 set thread context of 2612 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2920 set thread context of 3052 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1152 set thread context of 3060 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe
"C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe"
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2740-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2800-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2800-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2800-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2740-8-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2800-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2800-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2708-21-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aca1022c081ce186ae4b4d4579efd1d2 |
| SHA1 | c58f4d4ce2e1eeaeb24a0e24d945fcefdf97c621 |
| SHA256 | 90a7ae08a40fc047bce158a671b79bc36c12c081c3fbc87e4cf5d844b3ae71a2 |
| SHA512 | 2b2754bfdbea3257647294b4f1bd40c1ea2a14a0113a357ef4d995b3d45c6f758edcd4bbb135644106577d9c2a3507e61deadbb724ca6fe01c7ac82699731892 |
memory/2708-24-0x00000000001C0000-0x00000000001E3000-memory.dmp
memory/2708-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2612-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2612-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2612-41-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2612-44-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2612-47-0x0000000000290000-0x00000000002B3000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 873d0674c0111283bed51673f6698760 |
| SHA1 | 9f32b0cdf83a2d852765aa22de5f1664a4288fcf |
| SHA256 | 6ea7f6939aee5a67cccc560437a120f6b8bfb1a6ed39ff2a86b22449899975ca |
| SHA512 | 241cb39f7b29080f0349e9a9cf4df43a326918f0be121202c8995c8b0d1ebc6420c691690311b933d10807784d60cd2e9b981e04cbb090db1c79a28182f00256 |
memory/2612-55-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2920-65-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7a8f7c59bbb9af784ac55885c7dbbcfb |
| SHA1 | 8d79e7d3fe7e048ea44b6cc08a1a7743d6775a3a |
| SHA256 | 9b8f87a04a8de462330493773489db5a0b4274415b9c3875eb9e6d3e7978d242 |
| SHA512 | 349ea00a1731f48c9bccaf0dcfec09aea29a30a52f035f33692dc91d6efffa0d05c725dc07d7dedcbbe1f3b4eb26ba0a7ee00578ee5f9363aa363462ab553e71 |
memory/3052-71-0x0000000000230000-0x0000000000253000-memory.dmp
memory/1152-86-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3060-88-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 05:58
Reported
2024-08-18 06:00
Platform
win10v2004-20240802-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2052 set thread context of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe |
| PID 3256 set thread context of 1276 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4288 set thread context of 3524 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3624 set thread context of 4820 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe
"C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe"
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe
C:\Users\Admin\AppData\Local\Temp\5b002622f8369ec9e804b185e9376fc0N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2052 -ip 2052
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 272
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3256 -ip 3256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 300
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4288 -ip 4288
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 300
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 268
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2052-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2384-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2384-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2384-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2384-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aca1022c081ce186ae4b4d4579efd1d2 |
| SHA1 | c58f4d4ce2e1eeaeb24a0e24d945fcefdf97c621 |
| SHA256 | 90a7ae08a40fc047bce158a671b79bc36c12c081c3fbc87e4cf5d844b3ae71a2 |
| SHA512 | 2b2754bfdbea3257647294b4f1bd40c1ea2a14a0113a357ef4d995b3d45c6f758edcd4bbb135644106577d9c2a3507e61deadbb724ca6fe01c7ac82699731892 |
memory/3256-8-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1276-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1276-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2052-17-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3256-19-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1276-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1276-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1276-26-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1276-27-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1276-31-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ae66a33cecf1abb3781aa9c4b3453c59 |
| SHA1 | 37f03df8d8688f9aa25922ffd34ee28642227ef4 |
| SHA256 | edb895c723283d58116c4202108d1ec47a41e2549058d261ddef220795aee634 |
| SHA512 | 3c6499bd81344d333ec2b64669b90dc0732413a56cc17965670d1e178a5d239f1faee57b4be71269e2ae0a259aa19afbc080d0b3afdf916493e896ae0bdaa200 |
memory/4288-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3524-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3524-40-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3524-37-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bf40239ec8612f010e1b9d8afd8b367f |
| SHA1 | 4c37a049d35a30425e531cf69aacdaa873763b93 |
| SHA256 | beb1d3e34b02e40e618ada2de92dddde6cfef48dd668476d802573666d70e0c1 |
| SHA512 | 31437f2f3685848b6fb40e41bac3ec54ba7029a6877faf85b970ca579ddc390f24c32db14918d3d90a19c371a7737d16263fa85c3f537502dba5671390eeea97 |
memory/3624-44-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4820-50-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4820-49-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4288-52-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4820-54-0x0000000000400000-0x0000000000429000-memory.dmp