Analysis Overview
SHA256
97b5ab3137ee3b3bf7b8c840ec89487951e4ebb86454a7aabd0605f301e322d1
Threat Level: Known bad
The file 75e4864ae7901aef12051eef9c215110N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 14:57
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 14:57
Reported
2024-08-18 14:59
Platform
win7-20240708-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe
"C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2640-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dace5c7936c67d52267a2da8a90fb18d |
| SHA1 | c36e1ae6a38169bdbf8f34f9500cfd2ea45cf1cd |
| SHA256 | 84313a73921ea31fd0f27f322a60e7c961a776a62c8e241a4c7b697655e3e801 |
| SHA512 | 1ce8b02454cde8dfc4abd6fe3a52367a60f6abee5cb2e6be8ece818c28a0529a83620a9209b2f415571ec75ce248be0d081555aee3b43b6579fb32f5a4523f55 |
memory/1868-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2640-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1868-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1868-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1868-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1868-23-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1868-26-0x0000000000370000-0x000000000039D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | b83a477276a2f3ef244838c4a0df25f9 |
| SHA1 | a331eecc78300bd678b9fbaa72b38d851fb7cd2a |
| SHA256 | 7e4f4d30c979bfeca3c2713f38ea6c88fb0e7e06d68e54f939932b06faea5cea |
| SHA512 | 864b909f875c4ec68ebb270f165dd9f084486ef10f00945aff037c495862da9ed5fe872191f3b55079232d4db6d6f9a139022e7c5829ad73297dbf155cb9ea09 |
memory/1868-33-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1868-35-0x0000000000370000-0x000000000039D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 37aef8f01a21c76d9e1c8e94301546e1 |
| SHA1 | 3bc87649523b566db45c70204af96c74835f5cba |
| SHA256 | 786391c7554efc02ee5bbed85bea14f6169fa649c6caa00e1457fae4ca010e95 |
| SHA512 | 462b9c89f45e97cda7c19b329084f663740a3d8a2afd3cacf2424eaba986accc9a560ea5b5f0c1bbac1cbacbc04de5faaed3a923cb871dd8cb021a0306f73660 |
memory/2616-40-0x0000000000250000-0x000000000027D000-memory.dmp
memory/2616-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2940-49-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 14:57
Reported
2024-08-18 14:59
Platform
win10v2004-20240802-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4968 wrote to memory of 552 | N/A | C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4968 wrote to memory of 552 | N/A | C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4968 wrote to memory of 552 | N/A | C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 552 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 552 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 552 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe
"C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4968-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dace5c7936c67d52267a2da8a90fb18d |
| SHA1 | c36e1ae6a38169bdbf8f34f9500cfd2ea45cf1cd |
| SHA256 | 84313a73921ea31fd0f27f322a60e7c961a776a62c8e241a4c7b697655e3e801 |
| SHA512 | 1ce8b02454cde8dfc4abd6fe3a52367a60f6abee5cb2e6be8ece818c28a0529a83620a9209b2f415571ec75ce248be0d081555aee3b43b6579fb32f5a4523f55 |
memory/552-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4968-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/552-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/552-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/552-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/552-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 0fe651b60d38d1566ae73fbb92b92445 |
| SHA1 | 6d3ce9d39860d54acbbe5c00c18ed08796300a37 |
| SHA256 | 3b94a00e5393036f324fcfb62eb5c3f2820169ff8b376960bec52a06677e1106 |
| SHA512 | fb92f1cbe77e5b90b2b839f0d4a69bacf525d02373825f7016cc51a02893e0e5e88e44a1914762cccb3e7e2f447a880fd3b4e784c740521000a3443829722b7d |
memory/4456-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/552-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4456-22-0x0000000000400000-0x000000000042D000-memory.dmp