Analysis Overview
SHA256
39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
Threat Level: Known bad
The file 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 12:11
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 12:11
Reported
2024-08-18 12:13
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe
"C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 73cf383a4b12cce57cb925cf0aeb13d9 |
| SHA1 | 9a65ea5d1dbe859bfa5bc7bb6fc40be048453abf |
| SHA256 | a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33 |
| SHA512 | 5cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 501b5251cc5759732eb66dbf33328068 |
| SHA1 | e866bee10842ed4d39c6bbab2cfaeb39044624e6 |
| SHA256 | 414851da10e9f8b098f3a6d8b0eb10da978fbd8864eb0d252b01595989756384 |
| SHA512 | 82ef31d69fa64526184b413e0423304d8c095ee0d9e5a823868379ecdd543d0817542e672f3ae7e267116ce2944e3ee89714ddcc30cf951033350354f1de453f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5f31f8cc2476e2899710a00bc6bfa76c |
| SHA1 | 3adc2f226fc43eb71aa052211b12463593d6f63d |
| SHA256 | a872c8dbb06fe2f1c0ba3ee1f94e7e6e47340539d8a62f7416332c3433f22222 |
| SHA512 | 01f0309fe67bb1ee33134e84ab2b41f15c2364d3747b5a5fdfbbaef039a136022b0f878560308777a8ef1c4c004cc159d202c7ff05cb747ea96bed2e089f8e44 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 12:11
Reported
2024-08-18 12:13
Platform
win7-20240705-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe
"C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 73cf383a4b12cce57cb925cf0aeb13d9 |
| SHA1 | 9a65ea5d1dbe859bfa5bc7bb6fc40be048453abf |
| SHA256 | a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33 |
| SHA512 | 5cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 7c5a620d2a6158c69a1b9ad80579af17 |
| SHA1 | 17e6c78343af5c471db0b64882f57545ffd4b7cf |
| SHA256 | 31cae2da6106a8eb1e7ea565ac60647b7715bbdb669ad096b8a0774e7759442e |
| SHA512 | 4c20c2c2e9a1ad083f46fdd53de645bc48bc5e195df9e926b5e75a5abe464ec306abe4071bdc648355385f855735c69f2ab178fc67c5d5ac08a2c988c0c79d41 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d2e40d53cfc4ba1e53af79357a9e2062 |
| SHA1 | 8a68c9db55ae554d7847c9c9900b2459ddbf049d |
| SHA256 | 6ed71c0acbd23364031d370d817db92df96e19b3e3a47600a6e5fb376214d625 |
| SHA512 | 44713e3e8b45049b141515ef4a037565b39374166895444caf113adf21f5decb955808ec6d75292c02b8a7f19e58ba8a5582ae8a9a00d0f9592fc2df0f14f1c2 |