Analysis Overview
SHA256
dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd
Threat Level: Known bad
The file dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 02:17
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 02:17
Reported
2024-08-19 02:20
Platform
win7-20240704-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe
"C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1e82166cdb3bb51e8964be7b5a9ecb08 |
| SHA1 | cd78f196cdcd818dd456ce91817b7d8735bf9846 |
| SHA256 | d1b58bd52e3ed9b58e0243ca3d42487f91635493b7a6e430244931b129b18ea4 |
| SHA512 | 532f928ee4cce9f9c5642c83aeaaae7ecf47c72a410be9ac0e00bc9948771e73a37d7f8b5f0026a1c01999724063a4ecfb54ef16714fa770db1904ce46fcffa5 |
memory/2388-1-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2972-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2388-9-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2388-8-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 33b7445acad3ee64ff2ccbeb0ef446fa |
| SHA1 | 65dbba5219f0304b9f722e46b67a6a6df47a4d0c |
| SHA256 | e4fb710ff7768d3e9b0b72685e24d22ddf6a649137b51dcc4065b12af8dbf987 |
| SHA512 | 49c30f76c3ccec6e4297bfc77939005b1628837954a86991a029bb1128e12bb4abc380130572c582b0ff0f4cdaf42bc68edc7181adf39c7224c674419ec6333a |
memory/2972-17-0x0000000000500000-0x000000000052B000-memory.dmp
memory/2972-23-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2512-29-0x00000000001B0000-0x00000000001DB000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8d4e6b576d64abefa4280c3a02643b36 |
| SHA1 | 97f35d9191d73b4840747531ae9e492a380c63a8 |
| SHA256 | 593ea7db3aef576a9a821416966c60504c9a9b278d1e83306d15ed591e34601f |
| SHA512 | 5a272d2f5a5551b86367b6910faa637fcfb52b193b8884cd92728d8741a2c430deeedb35f3d4a75db2821ce9b291fd1aa4b40867cdbb1e8dd47aa296f63776ea |
memory/2512-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2512-37-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2360-38-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 02:17
Reported
2024-08-19 02:20
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe
"C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2936-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1e82166cdb3bb51e8964be7b5a9ecb08 |
| SHA1 | cd78f196cdcd818dd456ce91817b7d8735bf9846 |
| SHA256 | d1b58bd52e3ed9b58e0243ca3d42487f91635493b7a6e430244931b129b18ea4 |
| SHA512 | 532f928ee4cce9f9c5642c83aeaaae7ecf47c72a410be9ac0e00bc9948771e73a37d7f8b5f0026a1c01999724063a4ecfb54ef16714fa770db1904ce46fcffa5 |
memory/2936-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3836-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3836-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5bdc6086e6d00112a03533477c72d1d7 |
| SHA1 | ca78618ff79e82ce304c01414a5e44290d937ae4 |
| SHA256 | ecbff5b5ec976cf392c0f272f5a35c726529132194cc0520b96389f61d1751f8 |
| SHA512 | e2d311293aa86b57c4b5a15bb39904796454324ab2328a9f130f1da462bf4598974863f00277f5a19a1e2211077955577818d71cac43033193e331b672912d10 |
memory/2044-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3836-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2044-17-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 9e23bd077698b6e84f1d8ee239700855 |
| SHA1 | 5471fa28a62e07b897e20d69e4491688ea058c53 |
| SHA256 | 6e7723a201f93efc8d3f06aef7bf1b8ed46cdb4cf17b98f772231e8cf3950daf |
| SHA512 | 4ef4a15798eee0f684579538dc3d4ed784ab8d5f305e2fc43c5a1deceb9a8a70d1aff53ef3c67a30c7bf4e408040771b0a70d8d4068bc04d1888831b37fc366a |
memory/1428-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1428-20-0x0000000000400000-0x000000000042B000-memory.dmp