Analysis Overview
SHA256
bf8c000f958ecffc7527b9930deea9e84ae43ca31ad5fb8249a948654fe59786
Threat Level: Known bad
The file 5ff42997329bb240d36b3877786d8970N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 11:33
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 11:33
Reported
2024-08-18 11:35
Platform
win7-20240708-en
Max time kernel
92s
Max time network
99s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe
"C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ac15f7cbb36ce4d213bf65ccd3dd81f9 |
| SHA1 | 9059c966cd5a981203d7b6fac9ae1cf3caff1356 |
| SHA256 | c130fe3c09576a3aa60344ef1149d09def3b0d5102acfc42f7f9e872b577dbf2 |
| SHA512 | d9fab174bab93f3d53bdbc76feb950ac3754dae300620ff6c14f63c6608604988b5e4ccd22746d634e6ce8b546d386872cc0372f6c7b58a02391768337a611b6 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 3289b2c68d22031bd7180f445a9af76b |
| SHA1 | 0d39e30fc149ef3e4720b7d5e069fb130c776343 |
| SHA256 | 72147c06d4d30c0775c86bb91cfb9cff42e4373bae7a58142327a7afe4e8a755 |
| SHA512 | 7f0d52d4b8df63850b3cd8a9f4520c663802a34ac50ae032b285fa59ed287a5bde5f568d7f22da9cb184bd38ee0366c6695396b0066ab5815ab562c5fb35859b |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d70ab27dff53f6b17cb228dac4f0f6ed |
| SHA1 | 4afcbc9740f4b5252b528c9c9d8d57a62c052852 |
| SHA256 | abee8269862df1ba06b036416abda41995adad590f61c967bed59ef8a63ab305 |
| SHA512 | c3ff8cdc9c9bfbed0acb778111029a2405bc372e62330285d07ac24d1ec951cddfede7f1a6ff91ebf4d80bcfcfb59b900f4f8813342d15f3ba48445e9d96a647 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 11:33
Reported
2024-08-18 11:35
Platform
win10v2004-20240802-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe
"C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ac15f7cbb36ce4d213bf65ccd3dd81f9 |
| SHA1 | 9059c966cd5a981203d7b6fac9ae1cf3caff1356 |
| SHA256 | c130fe3c09576a3aa60344ef1149d09def3b0d5102acfc42f7f9e872b577dbf2 |
| SHA512 | d9fab174bab93f3d53bdbc76feb950ac3754dae300620ff6c14f63c6608604988b5e4ccd22746d634e6ce8b546d386872cc0372f6c7b58a02391768337a611b6 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 41b80933318ba103baa94933319adecc |
| SHA1 | 9c1a330eb8ba2917a3009ac5f017165de3331cb4 |
| SHA256 | b96a6f8b33bb7778a956814ce13c797a0374523e16405a5b933d5309ac98415f |
| SHA512 | ff928a86bd33cd83e0f01b69487cac10ebc6462079d7c30facb6ff612e6c8e923c2cc206bd18c47d5e676d52cc116a0ebc70f512bec6771ced026af56d74c01c |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 355eade5dafcd0eb244d38458c1ba459 |
| SHA1 | 2c0fd1dabd23c4082dd9a7259b9eb966f30fa2be |
| SHA256 | 9215066b3a6a7c02b0e26ff9b560e644d8640c556a22e8ba3fac8ae6eb03399a |
| SHA512 | eef7763febbf5ba66933dec987b2a2eb4412cf75e76d498a1f5f4f573514ae00fb61300a391faa5f28359f5958092c5388ff50d4a6824835df319589bf66d2dc |