Analysis Overview
SHA256
103f4cfa3888101d4645b6e1ea0ca647668598f58be628a797e1406d76359dd6
Threat Level: Known bad
The file d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 09:46
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 09:46
Reported
2024-08-18 09:48
Platform
win7-20240704-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe
"C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1db297ad35dd61a0931fa4015fec1264 |
| SHA1 | 2396d371da5776ab6823df870fb87c6bbfb08961 |
| SHA256 | a5d249d01913b3ad6541f11c0a5f83d1ed3e9b856f2f2acd1ec0d8938ea3df49 |
| SHA512 | 4358ab2934ba720f835bfd99049c5ac915eda6b8c08209a8930a27388147d263fbe0b802377af06e49d12522dd5b1927a57500cda6ab800fc7bb660488fe2af6 |
memory/2744-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2816-7-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2744-11-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 09bfb36775d4ccadb48274e78f5d1696 |
| SHA1 | 8dc86dddb9da47de4e3bf9afaa1bcb791da2ae87 |
| SHA256 | d5667f4f3c3a2b07c926a4d35aee8a07598589d09368a6245e60a235a698bf00 |
| SHA512 | cc299178598276ae37eaf2f4f966407cec9a11680dc7bd79b5efbbbec196d5aa32a89096a9dce5fb189b0e7be9d5ddb8e6bcc75aa9a99794e1990b9221a1d7d9 |
memory/2744-16-0x0000000000290000-0x00000000002BB000-memory.dmp
memory/2744-22-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e4723eda011bc544178aea66af7c90fa |
| SHA1 | 6936f353050f60ff313ecc554d1ce39fe211b70e |
| SHA256 | 2cd0424869e50d2cd51ec291286e825fe5deb2f6654b57e94d0755224f0844bc |
| SHA512 | 80cc0892ea7268f8d0f8738732a35042645a138ba003e167e47bf33bb167c91b9eca8aba41e161a22e6b778c12a467970f381debc09fd52334dcf0cccd7919bc |
memory/2900-33-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2900-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2900-32-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2412-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 09:46
Reported
2024-08-18 09:48
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4664 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4664 wrote to memory of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3028 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3028 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3028 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe
"C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4664-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1db297ad35dd61a0931fa4015fec1264 |
| SHA1 | 2396d371da5776ab6823df870fb87c6bbfb08961 |
| SHA256 | a5d249d01913b3ad6541f11c0a5f83d1ed3e9b856f2f2acd1ec0d8938ea3df49 |
| SHA512 | 4358ab2934ba720f835bfd99049c5ac915eda6b8c08209a8930a27388147d263fbe0b802377af06e49d12522dd5b1927a57500cda6ab800fc7bb660488fe2af6 |
memory/3028-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4664-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3028-7-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4556-11-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f9a0a2a5ac809a3fb667abbafbcbbb08 |
| SHA1 | 0ce9c4b64a2a758a32c9a3be737aaeb95cb27c6a |
| SHA256 | e5ddf9f957a43443bc0ac388ed97baa09cbdd6a27b6828f0bc667e1ef2e0e819 |
| SHA512 | 6a866668336d62417eb8b174c1d9014d7338508676c968b7f760d113ac91e43e1c2ce91a21eb7d7d9f8558e76a2591b963c3e22185753b7dac88935568a76bc0 |
memory/3028-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4556-14-0x0000000000400000-0x000000000042B000-memory.dmp