Analysis Overview
SHA256
0b617e1490512f32019e189fab1218f24ff7a80f966a7b74e2cb5c947bb62cec
Threat Level: Known bad
The file 08f7af31a6ca42eded90eab08318e890N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 21:26
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 21:26
Reported
2024-08-18 21:28
Platform
win7-20240704-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe
"C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2192-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ce6b264eec58ad040f9e544298cf1d3 |
| SHA1 | b245acfc3858242b4a0f27a0da969cb77d42b1ec |
| SHA256 | 10f50d48c9656c6a13fec386f82fd69f2e316275d0119a2af381ade08bf34082 |
| SHA512 | eb1b94fe24d834c323bebd9723e0e2884cb1d72ca8744d433b355f1eccce2144c5dd84897f99932ea6427dd14d08607c5cc4110aa7bf3f12b9806eca89b10a52 |
memory/2956-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2192-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2192-4-0x0000000000220000-0x000000000025E000-memory.dmp
memory/2956-13-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | de151d2fb3a5b32472bd9ddc784dd5a1 |
| SHA1 | bed906fdf3c900b9600eedf5d4d15680f12ad86e |
| SHA256 | d966b851b5eead6b75482cf02460d71c79e5f5d6e6046e01e4028179a8af0814 |
| SHA512 | 62c67fda8250d001dea5d6b08d6170048f87681faf926518e7ecee352c3a7b1bda9288f9f3d1a07b88283f2d427d928df9f6f97b48ae984f3657245f66afa7c9 |
memory/2956-19-0x00000000002A0000-0x00000000002DE000-memory.dmp
memory/2956-24-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8da42f22b567b9dfc42ffbe527ad0cea |
| SHA1 | cfa6a70ac55f14ba710fbaab7fb1b5801dba259f |
| SHA256 | 2e6c3c59066818c82bed1d5f0bfd7e65c6fe34be9a4858c558e8e9ffc38d294a |
| SHA512 | d446db2a8a085092be3be501c8a6abd37b3ee13c2ddd9cfbe19895d554d3d15df7391e14ae2c967dc14d87709e75105135c21bf84cd930f3cfb731913eb701ee |
memory/2776-34-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1444-36-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2776-38-0x00000000001B0000-0x00000000001EE000-memory.dmp
memory/1444-39-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 21:26
Reported
2024-08-18 21:28
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2548 wrote to memory of 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2548 wrote to memory of 3232 | N/A | C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3232 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3232 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3232 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe
"C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2548-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ce6b264eec58ad040f9e544298cf1d3 |
| SHA1 | b245acfc3858242b4a0f27a0da969cb77d42b1ec |
| SHA256 | 10f50d48c9656c6a13fec386f82fd69f2e316275d0119a2af381ade08bf34082 |
| SHA512 | eb1b94fe24d834c323bebd9723e0e2884cb1d72ca8744d433b355f1eccce2144c5dd84897f99932ea6427dd14d08607c5cc4110aa7bf3f12b9806eca89b10a52 |
memory/3232-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2548-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3232-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 047f0b500e103a71b9aab944fa6fd20f |
| SHA1 | 56d33c0be1c047c9a14037b81b0dd26670e7b069 |
| SHA256 | 6f6ff46db24f8be694e323b0d887b1e733ef0457895e6b7ffeabbe07888d373d |
| SHA512 | 8f22966126c93229a246b422289f397c1304a64d9f5bd96f34049f07dbba3c88e126c65688d1ac8b0324f9fe31dbc0b32d0e3e2a24bd2ce9bb88ee7de2581548 |
memory/2956-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3232-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2956-14-0x0000000000400000-0x000000000043E000-memory.dmp