Analysis Overview
SHA256
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
Threat Level: Known bad
The file b2efebdd3fa287b4b4af62798c8871d0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 12:05
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 12:05
Reported
2024-08-18 12:07
Platform
win7-20240708-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe
"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 73cf383a4b12cce57cb925cf0aeb13d9 |
| SHA1 | 9a65ea5d1dbe859bfa5bc7bb6fc40be048453abf |
| SHA256 | a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33 |
| SHA512 | 5cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 03fbbc7c6d20bdf13a61e3fcc29e1433 |
| SHA1 | 773f94446e8f7279f3cb6f8c3426ddf8e009956d |
| SHA256 | e605dcae6229436ef7ddf1371e6f664b788d790e2d38c4039ef9069738afefc0 |
| SHA512 | 8cd6a5aae97129ac32ef6a4e8bd46b4ecb3795f7d3050994ffbd347c81c2751a74bc2ca3096e2caebda6c82a0a6bc5e2e350ee93ebcf2d2307531bf3ad817965 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 246dedbbb989fa8e2fa746d32df0139b |
| SHA1 | dc1cbee75b07171b4f917d400cc691b614c3c687 |
| SHA256 | ba8adef95d9734b766329d07c1f954fb2552eb3fe8e0a6472379b207976855d9 |
| SHA512 | b9082147073496e087b1bcbcf5fc64782826bd955b421dbf4647151ddea7dd5602baa701f433772f378074912e91b81453c519bab55c7d968bfaae9329809b8e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 12:05
Reported
2024-08-18 12:07
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe
"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 73cf383a4b12cce57cb925cf0aeb13d9 |
| SHA1 | 9a65ea5d1dbe859bfa5bc7bb6fc40be048453abf |
| SHA256 | a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33 |
| SHA512 | 5cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 94d1643d00d0fe05e081ee5cf01ccd0c |
| SHA1 | 2bf0e89fc2f3e5695fd63c33c02411272def6e5a |
| SHA256 | 995bed93b81bae5111170e2891906fa0fee407b0ab31fb3f5320f25320b33185 |
| SHA512 | 7ba429d04031f3219d517ab1f604d26a545f4197a3f8f9394ac11b66aa80fb633e36f4a63ef2e31236ada55168606960a568b9206fc88bee50251b92cb78085c |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2167fbf1daa0169c53b3896c16eff387 |
| SHA1 | 0004c3dfc100b79d34cf569707a5eb25d5b29c2d |
| SHA256 | ddff2783ce00568a8468f1c236375cea698c1974613b1f895aabbdcba457560b |
| SHA512 | 24d8d52f0137008ae9290827adefa14d45550d3108473e3f9aafb4c453105f66c3b79a151813961d3ea243378b2b6712d57d087564cf3582442e297eb4857ef8 |