Analysis Overview
SHA256
3cd00bd31b753d832e83b5c7d1f7fca948706dd01144621a4a019322910e47c5
Threat Level: Known bad
The file 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 13:53
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 13:53
Reported
2024-08-18 13:55
Platform
win7-20240729-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe
"C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2180-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 01507f9c34d2bcb425195c22b6709616 |
| SHA1 | 79e5a722456fb50da995b42d6a7a92f681b8bbe1 |
| SHA256 | be50fac53ce2a545c5eab79e842b66b84b6eb38b642aa73e25c263241a294370 |
| SHA512 | 9dd74aa2b561249219c9c9f84f9aaef233ee847d718dc97174fc5ff9ad5012cf2c061750a489670bb30de38706803e0f3fdcdb2bedcb98ec5d588b6101498cdd |
memory/2180-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2180-9-0x0000000000230000-0x000000000026E000-memory.dmp
memory/2180-5-0x0000000000230000-0x000000000026E000-memory.dmp
memory/2540-13-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | b3c5a5ec068b86768c5e7e6065e84067 |
| SHA1 | 78b6058021333064e9f5779644e634c716f160a5 |
| SHA256 | 8e799452a393cb492a1f595f6b6f6e21141a059db9a437a574726c6a6917eb5d |
| SHA512 | 4526cee620ebb52c5e32bdf32711a0d1d59b644e730f9c81f8ca85e4a82e6e1ca38f036a62955c2b4bc07729e540ca7cdc568866661077a80b1bfe9ecb39bd23 |
memory/2540-18-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2540-26-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2540-24-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fd414f9bfa30ff075d420b951e769aa9 |
| SHA1 | 61e3f7ebfac06b51ccdb7293ee73a64591375199 |
| SHA256 | 9e2ad5ee5014a34333a60d28ca69ab3ec78e89499e6a39494542c65adaa91934 |
| SHA512 | 20fddf2effc6a9b37a77b8185aed94989e3869f21260165aaa027f694b126047704cf06db1738f6eeb8485f3f0b5a46ed8a93c01d25575c77e16bc32652a333e |
memory/2652-30-0x0000000000220000-0x000000000025E000-memory.dmp
memory/2652-36-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2532-39-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 13:53
Reported
2024-08-18 13:55
Platform
win10v2004-20240802-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe
"C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2496-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 01507f9c34d2bcb425195c22b6709616 |
| SHA1 | 79e5a722456fb50da995b42d6a7a92f681b8bbe1 |
| SHA256 | be50fac53ce2a545c5eab79e842b66b84b6eb38b642aa73e25c263241a294370 |
| SHA512 | 9dd74aa2b561249219c9c9f84f9aaef233ee847d718dc97174fc5ff9ad5012cf2c061750a489670bb30de38706803e0f3fdcdb2bedcb98ec5d588b6101498cdd |
memory/920-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2496-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/920-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | fa176ce4775526ff072b0d42e28d251a |
| SHA1 | 83a87b5410bb5697fcde50ccc51ff8e1d800043c |
| SHA256 | 52c36340b588501df7a855304449ab419c1f7d3699f9016b34f651af400aa7b4 |
| SHA512 | 4700fd6387f637c30ce55b4d161dcc4d8987124dbb81d9cac367fbd7c8fa371b1e6bd0511b70c9e00e414331f492fbf61aba7d188379f765dfc5e3aa7e995425 |
memory/920-13-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b2e7b6dcb7493029d9b123ad28b40655 |
| SHA1 | 9cde0e8ee0146722c65b34f2f66f60a0d970f7da |
| SHA256 | 4e738f7cf5146f85537f99cfd5a2bbbe5b12502b8e1c71fc5a6a3eb6d5fedf1f |
| SHA512 | e708e20e53b7fe120a44e23dca3ff712e410641c72bf8ab1c9e87e200737f4925f4c2d27ee575e9523ae23f32d53463ca3ba5c1ba375fae6686058b6ff040ac5 |
memory/3936-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4812-19-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4812-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3936-20-0x0000000000400000-0x000000000043E000-memory.dmp