Analysis Overview
SHA256
4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78
Threat Level: Known bad
The file 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 20:53
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 20:53
Reported
2024-08-18 20:56
Platform
win7-20240729-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe
"C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3dfc86b2441840dc62ce2a529fd73aea |
| SHA1 | 94966d2741dafc71c66f8f39e625b927d273e28c |
| SHA256 | 1b00585a46d14e683b1ff21d5659e2dce15e1e674bd9796d5483a7617fbc15ae |
| SHA512 | 00cac720a7929b66a4a1bbd452f879d2ed174c981cbec7867a33fe173555463f625981985dd34b82a4e595ea3e71a8e9b2b9cab1635144c21b335e4baf47de20 |
\Windows\SysWOW64\omsecor.exe
| MD5 | ca9f3f63b3b18002a09115c908386c45 |
| SHA1 | 34032a24baea978acdaaa23dffba12b67d5a3867 |
| SHA256 | af928bfb2ded61111523c319a3a3fdcf2646fc6931af73b7b5cc4e40d40cef4d |
| SHA512 | af1c343edbe93136608d06833d5e1ef8ccc6c5b17159468ee73cbb29e4d465b861468e5cb807f4a11856cf6b3c928f2e0bfb228daade9f276f5f771f1bbcf770 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e4b11e0a69a8642dd400a3a9a02567d8 |
| SHA1 | 35b9921187c0b0fb0395494f2dd1734841a3c4e4 |
| SHA256 | 47ad84dbe82c4d194310c7f1e5a8fddf640be0b3e244ecc9de3c926e60ef8c1c |
| SHA512 | e9aec412aaeaa00be2b1305aa2fe816266f85557ecfe206f7c070b9af2804c37a298c12ef472506a8526221b9139e24b7f3fae9c31b5e199abe214db7c33ca4e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 20:53
Reported
2024-08-18 20:56
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe
"C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3dfc86b2441840dc62ce2a529fd73aea |
| SHA1 | 94966d2741dafc71c66f8f39e625b927d273e28c |
| SHA256 | 1b00585a46d14e683b1ff21d5659e2dce15e1e674bd9796d5483a7617fbc15ae |
| SHA512 | 00cac720a7929b66a4a1bbd452f879d2ed174c981cbec7867a33fe173555463f625981985dd34b82a4e595ea3e71a8e9b2b9cab1635144c21b335e4baf47de20 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 50a2ccde3656cb7139d585beb333cb40 |
| SHA1 | 2d93911701ed79319c24ac7af57f7be0f8e5a8bb |
| SHA256 | 31db88859c37cf65d13b2349e09b0ac67b186316c036fa660608dbc6a4c87442 |
| SHA512 | 646fcdea9a220ff0cc453c2ac84260ae26ebd735bdb2a2345a5331d73e6a7ab72959067caa5048481ac3fa7ab9fcf8b3158a8aeffadc3b42332d8aeaa24f1d53 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ee89eb2b96b860d3166fb7be176cf7b4 |
| SHA1 | ce3dc413303d4c2c035a22b5b9d51eefe4f64a5b |
| SHA256 | 31efd5431dfd5fdeab331d79a8271d22b68fb2e964aff1571b9096c6a7951c77 |
| SHA512 | a696d4d29aa78d384ec92aaac6bf8c0ba9bbff234e5df39cea8487bf50e88e4141fe0377ceb81d3041ea20999407aa76a0b146b266ff11bab33d8e558d160a34 |