Analysis Overview
SHA256
6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180
Threat Level: Known bad
The file 9ef5e0aff3983414d5fc6ee69674a8a0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 12:31
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 12:31
Reported
2024-08-18 12:33
Platform
win7-20240704-en
Max time kernel
115s
Max time network
122s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe
"C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1668-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a2b4a322bc57c590c56a4cd09ed4c4b4 |
| SHA1 | af712caf7817eca258eac0742d8d19786f0d7a04 |
| SHA256 | dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc |
| SHA512 | 5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd |
memory/1668-9-0x0000000000220000-0x000000000024D000-memory.dmp
memory/1668-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1668-8-0x0000000000220000-0x000000000024D000-memory.dmp
memory/2296-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2296-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2296-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2296-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 2d4005ae8a6f116161a2c1e0bd3b77e9 |
| SHA1 | 6b7879433a22b6cf6b3fa4ad9a5083a92cf38129 |
| SHA256 | d465db466806e9cb1ff1e6879482b29af4741bf514701f35e636a9afe10857aa |
| SHA512 | d32983bc8a17e1c27e054a6f2020b08d8dcdb151130ea271b55ae8c27fb777302238eef2025e2f1f55979758a8cf26166e1bd844cc6544b88c48c5c8763cb993 |
memory/2296-32-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2296-34-0x0000000002790000-0x00000000027BD000-memory.dmp
memory/2296-31-0x0000000002790000-0x00000000027BD000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6aaac85118419c336e917702517f0ce1 |
| SHA1 | b255835b05a874de37ad191d6c58cf942c652194 |
| SHA256 | 072604ec35625142fc1044a11cf68a0615b0c9b4f3ad19ab66475aa9c1f42f27 |
| SHA512 | 0beef2523d7fa1d74639fc26a10e8873f24b0ed40121702ad7adb6eb6d2dbbf41df329ba8239b61c82901fb01a8e56353e7bb8bba57ac86d1977e5d901f26172 |
memory/1224-39-0x00000000002B0000-0x00000000002DD000-memory.dmp
memory/1224-45-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1496-48-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 12:31
Reported
2024-08-18 12:33
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1360 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1360 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1360 wrote to memory of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5004 wrote to memory of 1384 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 5004 wrote to memory of 1384 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 5004 wrote to memory of 1384 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe
"C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1360-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a2b4a322bc57c590c56a4cd09ed4c4b4 |
| SHA1 | af712caf7817eca258eac0742d8d19786f0d7a04 |
| SHA256 | dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc |
| SHA512 | 5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd |
memory/5004-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1360-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5004-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5004-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5004-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5004-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1384-19-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d3d933d5522db2197e9d43c1ddac126a |
| SHA1 | 3df9f95a01aaab85cb88d21fd03f7d58e300afb1 |
| SHA256 | ca0f34c55405e8366cf93ab54885b02c3dbd9101eaaf9706bc0447aa43d05692 |
| SHA512 | 1af87fa818af16d1a4aeb48e78fd07a7a5875e4a5cca6dc5c1458137ee4015c7538aed3ea6bbf5fa53b077889ec2a9698dc1a91b09f6b272e790df2ec4199318 |
memory/5004-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1384-23-0x0000000000400000-0x000000000042D000-memory.dmp