Analysis Overview
SHA256
d53e63679f7902887c20b9587c6ac16fbce6f22b4b3d918027644217908fdabe
Threat Level: Known bad
The file 759b81d87e3790c1e1a5eb0e8ca191c0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 09:09
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 09:09
Reported
2024-08-18 09:12
Platform
win7-20240704-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe
"C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2468-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2468-11-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b2eff1323a1ffb0533429e2da8a9642d |
| SHA1 | 9aa55585d58ce023f3e47922f82f8febd775de29 |
| SHA256 | b964fcd6f67c044c652090cf821b8f1fd1cc7956d38f5feccaf62e773d61b68d |
| SHA512 | d5ede1b0aaef977c79e16ec5e7401a241e53471d7ce8d4efb0c6453560e7dadbb766da36d4d546b7657b282804374da9052c869756e94dd01e1f765b6a5b50b7 |
memory/2468-9-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2468-4-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2872-13-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 78daca9d26d576398a39d113ec1b58a2 |
| SHA1 | 4c77d30b7037eb3da513f96c549e9c8aff5d7705 |
| SHA256 | cbbff1931e290c5d1f1b731de2a396a7a5c842279d6c59a13fe2f203e1413999 |
| SHA512 | 8fa3c27137ae57e70b203618c303329d0b71edbfce3263dc9844bd29e79c1b0e691d484fe5b4c5a2ff527f055020a407db9e1b9fc7e73d91e8a263a4f1e180ec |
memory/2872-19-0x00000000002A0000-0x00000000002CB000-memory.dmp
memory/2872-25-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2872-24-0x00000000002A0000-0x00000000002CB000-memory.dmp
memory/2972-28-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 09:09
Reported
2024-08-18 09:12
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe
"C:\Users\Admin\AppData\Local\Temp\759b81d87e3790c1e1a5eb0e8ca191c0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3924-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b2eff1323a1ffb0533429e2da8a9642d |
| SHA1 | 9aa55585d58ce023f3e47922f82f8febd775de29 |
| SHA256 | b964fcd6f67c044c652090cf821b8f1fd1cc7956d38f5feccaf62e773d61b68d |
| SHA512 | d5ede1b0aaef977c79e16ec5e7401a241e53471d7ce8d4efb0c6453560e7dadbb766da36d4d546b7657b282804374da9052c869756e94dd01e1f765b6a5b50b7 |
memory/3924-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4720-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4720-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 31c6957d8312e2057c6e0a72c9a47c78 |
| SHA1 | 6d9f529475d2a434f9419c913dd205e4d04cddfd |
| SHA256 | 109bfd75427bb5720960d0ea204186b0eb93440da83ca1985cf24ef63322fa2f |
| SHA512 | e14be9f6355beb4dbcb9f4fa14fa3ed01eb86bcddef115fc7999e1bfc50ce5641313f36b7813ff45888149b2aaa80538461d54481fd8e4c9ac98597f46e4cb76 |
memory/448-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4720-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/448-17-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cb326e1b4a9fa3d997349b174f99131c |
| SHA1 | 86b522fbeff8c3f761e2370a95d40c7af22903aa |
| SHA256 | 4f11dc9bbee10a12cf044922b2062045cf78ddc4a50a9eec8d528474ff227b24 |
| SHA512 | 2fe9df11f516069b7e49090489d2b4919cb9963d0b1b6bd0132532131cbabe9199ba236746640a168781d2a7f19bee3198e3f43d175b91bb505698def5027b88 |
memory/4524-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4524-20-0x0000000000400000-0x000000000042B000-memory.dmp