Analysis Overview
SHA256
08e1f7a0db3395be8b5b2eea71f6614470012f945a7b24bb03b694808ce1b10d
Threat Level: Known bad
The file 3af4c90be05e1f0a645d05215d226870N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 01:35
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 01:35
Reported
2024-08-19 01:37
Platform
win7-20240729-en
Max time kernel
116s
Max time network
117s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe
"C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2124-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 81e8fb10bfac735b839e186a8ed9a2fa |
| SHA1 | 020a6c104be18704815e36a6d1b6a68136112e92 |
| SHA256 | a329994d02727bd0de8cae4533c9ea1c789ee151cc6b570dd84b0b966780a896 |
| SHA512 | 6c4f05fd26231cc3b7faf0a317da41bc03a70fe81bb51a2f1db8450399fcde6881ebb62b41e828a1b50a08d557272803a695a358ae191bdea3a29fded58e1a20 |
memory/2348-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2124-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2348-12-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | c66e3dfb27367b80d4ff9e679f1e2a0f |
| SHA1 | 72e448b83f063dfe227263889ab6da63b02d0aff |
| SHA256 | 989bdc4c3430752b92f969997ac9d4ab3fbd0aeb98b129719e053f59bd6f0650 |
| SHA512 | 0306c5d97a8a12dfd2b15f90c830f9d9f8c64a5ba62bbf051d99e9b150cfd3f0447223b7dcf4a977be2572126a7446e0fafd170d0146f5f6b28223a0913f7cd7 |
memory/2348-17-0x0000000000310000-0x000000000034E000-memory.dmp
memory/2348-24-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bc2b620cc350e37692d39056ae6e83ca |
| SHA1 | 444be35e0f6222e53cc8b78b72537834f6ed4437 |
| SHA256 | a309a37d6ac6f197065b0f68102a413b8f97f76a3f1afaab0c2b56d016478e03 |
| SHA512 | e03f9dfeb3d419dd5cc696948456efecf141b0f078b2e5966e31acc4ae2e3e6467b39891e2226269ef2b10534f1d334bdb947c0af551b4042968c41822fa0dc8 |
memory/2708-35-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3016-33-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2708-37-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 01:35
Reported
2024-08-19 01:37
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2908 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2908 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4848 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4848 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4848 wrote to memory of 2320 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe
"C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2908-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 81e8fb10bfac735b839e186a8ed9a2fa |
| SHA1 | 020a6c104be18704815e36a6d1b6a68136112e92 |
| SHA256 | a329994d02727bd0de8cae4533c9ea1c789ee151cc6b570dd84b0b966780a896 |
| SHA512 | 6c4f05fd26231cc3b7faf0a317da41bc03a70fe81bb51a2f1db8450399fcde6881ebb62b41e828a1b50a08d557272803a695a358ae191bdea3a29fded58e1a20 |
memory/4848-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2908-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4848-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5ddf24e7926d9b31cf3b303000065325 |
| SHA1 | 2fd94459cb9ab7d20acb87e25b3eb3977a7c8be9 |
| SHA256 | 0ecad4b96b38b28f40b0a78da5ef6ebe1d50c3332418469960c619056a43ccd1 |
| SHA512 | a743a864c9041cee7a2942c52d9a55664b4006cc79385d9b3f662d86e25916d553cce8477b0fa2f94dbbcdc4abbfb7c326f99b2ad7f914bc617881c2f7b6f76f |
memory/2320-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4848-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2320-14-0x0000000000400000-0x000000000043E000-memory.dmp