Analysis Overview
SHA256
b06d7cd428c59e8ed614c3bf2475cadb03e6d20299fca47fd545fe5f7993be37
Threat Level: Known bad
The file 2b7b7ff52de860b729fdf80c48091be0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 09:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 09:15
Reported
2024-08-18 09:17
Platform
win7-20240705-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2040 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe |
| PID 2348 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 796 set thread context of 1880 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1292 set thread context of 1940 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe
"C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe"
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2040-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2632-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2040-6-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2632-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2632-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2348-20-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d59a13ea72f897a24726076db30846c7 |
| SHA1 | 0a022af01e295d08a70ecdf5d5b750d3ebddcc83 |
| SHA256 | 34d79aa25375ad114221a9943231552ac55b3efd3227dede0ca13e866762d264 |
| SHA512 | ac058deeff0f3cf0ad8bffdc5ef0e186697c1d86730edec624f11dba8429a084b19f46209e63e9e24f762bd8b6cd178fd95e264b02d65efb85113513f1339977 |
memory/2348-23-0x0000000000230000-0x0000000000254000-memory.dmp
memory/2348-30-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2992-33-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2992-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2992-39-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2992-42-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | a7dac709ac7abdc75edadf9591d5a6ec |
| SHA1 | c670ce6e146b68505ed77bbf1c00328b54a79b07 |
| SHA256 | b153feefb6c7c36d45a5090d8ac3e61f05ca08b8df123bff1271a0a83e5c4eba |
| SHA512 | 7b0ed57f51efca9ba968beab877e455b061aa08fe8d035c061b03a9cf27593f0c20d9666081dabf57d885614eec1a4bc94e0979af801e8ad1f8d6a697eff97aa |
memory/796-56-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2992-54-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2992-52-0x0000000000290000-0x00000000002B4000-memory.dmp
memory/2992-51-0x0000000000290000-0x00000000002B4000-memory.dmp
memory/796-65-0x0000000000400000-0x0000000000424000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 38a2f8360d54708fa2685e1bce9232c1 |
| SHA1 | 0a5b2ef92873883c607a3a3a4fb2355e2b3a44f7 |
| SHA256 | e220dc1d4c880a7575f23101fbf9693b8142f87f8e6e78ca7724cec401e6248a |
| SHA512 | 602d92f6863586f44d6ebbfd41cafb1318ec5f78ff21426d91f240068b415230fee1ad9498a0058c3e054661975a954da65e4aaa8decbfdef219cd48280c605b |
memory/1292-78-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1880-76-0x00000000003B0000-0x00000000003D4000-memory.dmp
memory/1292-85-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1880-87-0x00000000003B0000-0x00000000003D4000-memory.dmp
memory/1940-88-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 09:15
Reported
2024-08-18 09:17
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3924 set thread context of 4200 | N/A | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe |
| PID 4996 set thread context of 396 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3544 set thread context of 2916 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4832 set thread context of 3540 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe
"C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe"
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe
C:\Users\Admin\AppData\Local\Temp\2b7b7ff52de860b729fdf80c48091be0N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3924 -ip 3924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 288
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4996 -ip 4996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 288
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3544 -ip 3544
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4832 -ip 4832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 260
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3924-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4200-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4200-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4200-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4200-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d59a13ea72f897a24726076db30846c7 |
| SHA1 | 0a022af01e295d08a70ecdf5d5b750d3ebddcc83 |
| SHA256 | 34d79aa25375ad114221a9943231552ac55b3efd3227dede0ca13e866762d264 |
| SHA512 | ac058deeff0f3cf0ad8bffdc5ef0e186697c1d86730edec624f11dba8429a084b19f46209e63e9e24f762bd8b6cd178fd95e264b02d65efb85113513f1339977 |
memory/4996-11-0x0000000000400000-0x0000000000424000-memory.dmp
memory/396-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/396-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3924-16-0x0000000000400000-0x0000000000424000-memory.dmp
memory/396-17-0x0000000000400000-0x0000000000429000-memory.dmp
memory/396-20-0x0000000000400000-0x0000000000429000-memory.dmp
memory/396-23-0x0000000000400000-0x0000000000429000-memory.dmp
memory/396-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/396-27-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7718d9ae4022885dcc17c3f4e44ae070 |
| SHA1 | fc893f74a43a5985ddb4aa6885bdfe874da09509 |
| SHA256 | f68ab85daa6c301e4cf65fba57e2e33a06523458d6cb91eee47bebecd7465a93 |
| SHA512 | c181df9d8d5d12df5889312fd8f3f16764a7fc530d7bfafb6381dd53d7d5129c3913b6a5382ec21f42a3ef318f02751dc438bb69e64f19e977267deaf370d574 |
memory/3544-29-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2916-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2916-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2916-34-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 17bf352316d57166426e6c46a8299147 |
| SHA1 | d46d352c2ddebe177e03c4ae2ad447d85b55eaa8 |
| SHA256 | d22c3f2e6e9893e9d56aaca4dbcbd688c2a6f170e9b7df60e73bde7fed4b7451 |
| SHA512 | 1798d1df63727725de6937c5e82f410812d8ebaa08866c66571693aa0839fe11662debaf7f19b109f6c31d2d5aeb0d00825e9b36abce0269ce9419e645dbd035 |
memory/4832-41-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3540-47-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3540-46-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3544-48-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3540-49-0x0000000000400000-0x0000000000429000-memory.dmp