Analysis Overview
SHA256
45b26778617e32b7a051224072b3c9488cd4ee1d73d121e59ef2c302c19cb756
Threat Level: Known bad
The file f83fcf0ae931037ba2da178f80abcea0N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 08:18
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 08:18
Reported
2024-08-19 08:20
Platform
win7-20240708-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe
"C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2524-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2a4dad62c7d50a4c571623ebc0ebe7a2 |
| SHA1 | 0ac27eb9014a677d4f9e2437348d3407fc07cb69 |
| SHA256 | 351f944b148816f75f3320e12eea4d276513662cb76c06e783c52c7a5ce58be6 |
| SHA512 | 525da0872fd472e296cfc49350927273b706cf131ab05d53a9a3b0d6795c48f62b9dd23ca9ef8f5c1328a037860e488cb864082ad44a1b482fd1ba93b8c6068e |
memory/2140-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2524-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2140-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2140-17-0x00000000005D0000-0x000000000060E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | f3278d913cb85c0334d6732b7da9f210 |
| SHA1 | c1228dd98d1aa4e07c7e32d8da483a751e4e5fb0 |
| SHA256 | 8d2bfe642d721a4ceba9b47e00c33ed640e07bafd75377b5b3fb947912d9efdb |
| SHA512 | 74df2068ca5e5b28c9811553a409ec2c12efa4261cba94dec83e996079858cf26cdf858540139bbbba58236d273985334156d56089c22884c04e3f768f439bf8 |
memory/1960-37-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b9876abae545d9dad7ebbb915498249a |
| SHA1 | 001e97b2faa97aff156c5056914398a40cb73b2e |
| SHA256 | ad0289b69f216722a42e3f13723127fc7db9af8e9a1733b7b7c994d17602b778 |
| SHA512 | ca6e1d7ac2f4dd11fd74253a774b48a45274627c30826ae01a7a7991db93676f35a73e65f5b9509abc913d0b6bee75577f51230c3b4c7864814805bc3ea7d11c |
memory/676-34-0x0000000000400000-0x000000000043E000-memory.dmp
memory/676-25-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2140-24-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 08:18
Reported
2024-08-19 08:20
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe
"C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/864-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2a4dad62c7d50a4c571623ebc0ebe7a2 |
| SHA1 | 0ac27eb9014a677d4f9e2437348d3407fc07cb69 |
| SHA256 | 351f944b148816f75f3320e12eea4d276513662cb76c06e783c52c7a5ce58be6 |
| SHA512 | 525da0872fd472e296cfc49350927273b706cf131ab05d53a9a3b0d6795c48f62b9dd23ca9ef8f5c1328a037860e488cb864082ad44a1b482fd1ba93b8c6068e |
memory/2984-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/864-6-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2984-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ac3990b7ec718f172ae5cf1d180d3f8b |
| SHA1 | c00800330d39ad4d2a4af8ee9db1751f43852153 |
| SHA256 | c61a29206b8ba984031334403b20b6e134fba658ef67a363abd7a5b772f1f2a7 |
| SHA512 | bbc57865a45a964aed01c03f67d34d38afb7bd250117a47ec9d6c9956e7ff82e2c77e23b359e894ed6282fe04a7c0ba80a53b062f630788d8df0f1c50d9e8f73 |
memory/864-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2984-13-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e6a3890489b535fe43e01e9060f4c597 |
| SHA1 | b5c6267c87beb1ab22b18f6461424abd113e3b40 |
| SHA256 | 564fa955eb1a866e1b55140fbbe9708542d747a4f85a8f3fb35b9dafc6e39b11 |
| SHA512 | b885f43c6846fbad22561c731a31dbcfaff5dfa8a4d183896aeda249884cbcbdc7eea270fdf3a46c97e6f0950b0661b101067e2fb214b7ed516a81d861fd9a0f |
memory/864-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1412-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1412-20-0x0000000000400000-0x000000000043E000-memory.dmp