Analysis Overview
SHA256
7c703e5bb2539d52b2a22c4bfd09667d25747c916b17e45a64f9a788da8f11c5
Threat Level: Known bad
The file 56273b3463f33f24297a72d47b2cd370N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 06:35
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 06:35
Reported
2024-08-19 06:37
Platform
win7-20240704-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe
"C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2520-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ce7aa3954c5dcdafdbf8443875850f25 |
| SHA1 | 3d5d362d4ee07bcce26666ba0a38a99581b0be8e |
| SHA256 | d2f7023e0f5893887e70f311ae4f4c4321a857509b0ef5522ab83fc25b5a1d72 |
| SHA512 | 35dd7c23b771074e71e6d3d1afd5cf4c65f48eeec3c3abfc5b22f33fc27a4f473d891b3d748ae2eee9122302deb19b00f76dd3ac553485fb5cbda192766f2897 |
memory/2520-9-0x0000000000220000-0x000000000024D000-memory.dmp
memory/1936-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2520-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2520-8-0x0000000000220000-0x000000000024D000-memory.dmp
memory/1936-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1936-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1936-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1936-24-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 0ce8cedc297e182c1494c3b83ac7eb0a |
| SHA1 | a67a247d2e1f93e399ed453ffc34fc8000dd2745 |
| SHA256 | 119c0730e11693aa2e8e7b0673d6e69c020433a534521433b72f8ae696ced20a |
| SHA512 | 8d5db0e7e1f962a6293be140ea590f2c2aafe933708b51e697c3912f08e9836b0dc1cf0869c564ea4184f4c8398d4d067812e38ff24ad647edbe2a5b03d13535 |
memory/1936-33-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3036-36-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1936-34-0x0000000000530000-0x000000000055D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 28f7b42bc3a38fa59e152eadbe67e32d |
| SHA1 | 65ce4848621354701a14a380fa9903b21460e977 |
| SHA256 | 94dc7b5e601bc356095a3a6371e8dc393597a946a5cddc73e497b6fb749df6c8 |
| SHA512 | f84ff50dd9b4a9166b77df75b52dfa217a5acf4ff05a13fbd4fb162f2a29980e6f46e24c821d00d914f87a4088d8e739eced088ef78963c781ba0ab6d07eece8 |
memory/3036-41-0x00000000001B0000-0x00000000001DD000-memory.dmp
memory/2976-50-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3036-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1936-51-0x0000000000530000-0x000000000055D000-memory.dmp
memory/2976-52-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 06:35
Reported
2024-08-19 06:37
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
125s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4856 wrote to memory of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4856 wrote to memory of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4856 wrote to memory of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4092 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4092 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4092 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe
"C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4856-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ce7aa3954c5dcdafdbf8443875850f25 |
| SHA1 | 3d5d362d4ee07bcce26666ba0a38a99581b0be8e |
| SHA256 | d2f7023e0f5893887e70f311ae4f4c4321a857509b0ef5522ab83fc25b5a1d72 |
| SHA512 | 35dd7c23b771074e71e6d3d1afd5cf4c65f48eeec3c3abfc5b22f33fc27a4f473d891b3d748ae2eee9122302deb19b00f76dd3ac553485fb5cbda192766f2897 |
memory/4092-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4856-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4092-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4092-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4092-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4092-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7ddb7511628fba5209fdcbac68d074be |
| SHA1 | 035d9f4eb7e47100597715e5fb50c6ec0de7a464 |
| SHA256 | c2d1a10d73d708777123c0712d1c6b6d549c7f35715e572b632637137078057f |
| SHA512 | d83d7f80600addbe063d321672131dec810c3f364ec337948a30a4ff781c73205f06cd38e5a4ef49338efbfa0e80fbb04cc8f4a05dd5be44f5f51e00dbbfd573 |
memory/2756-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4092-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2756-23-0x0000000000400000-0x000000000042D000-memory.dmp