Analysis Overview
SHA256
07f5cca07cc63a5f18e9d6851d88902c49aa4447873e183482e8d399e405f172
Threat Level: Known bad
The file 8eece6f5324bf1526d6e0881d638f170N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 10:24
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 10:24
Reported
2024-08-19 10:26
Platform
win7-20240729-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe
"C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2848-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f7f9a1f2f66382acc65a061290ba5f04 |
| SHA1 | 6ac4dbed0e0489e9838f1cb8acec1d505e25de2d |
| SHA256 | f9d5e0817196061b67cc568d4792a55c5e8bf22b54e28f526efb9e062dfb8511 |
| SHA512 | 452dd256ef4439af62687ccfec1100d87c316ed2fa676be3d323c160bd0a6a4e6eacfe9c86560858453fe356f6fb804f9e03b9e090ce3f1518d603e9352fb0fa |
memory/2084-10-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2848-8-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-17-0x0000000000340000-0x000000000037E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 01a653e7f9aa8bfc811e1f4ff84af51f |
| SHA1 | 639cba6d629cd95ab70f7064e79df8f41b20f793 |
| SHA256 | 529d89df0c8ea72d5e9e904362d7a0dc691273e76efff5b2b8f06717a3ba3745 |
| SHA512 | 7c840d11232dead28bf2de8498d527e36261f3260f7cbea562482fb7789dacb6965652bca4294b3178ef3129844a34f6a240bc35563ef114347f047f557e12da |
memory/2000-25-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2084-23-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fe272471d77337aa368c3dd332719aa3 |
| SHA1 | 73edc07e632735a07496781930a3f1d23fc35af1 |
| SHA256 | 9d45051d123e2b379fc373f038029f18c6fcea29f9976118413a189b4455fbc9 |
| SHA512 | cc18dc52df2d8dfc918f9456f5c335d9b571b105411b9def87be63697d979c1c9d530eb16848285acec67b5f6e19f6875f101c2f4628a387ea3b7677141ffb5e |
memory/2000-30-0x00000000001B0000-0x00000000001EE000-memory.dmp
memory/2860-37-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2000-36-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2860-39-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 10:24
Reported
2024-08-19 10:26
Platform
win10v2004-20240802-en
Max time kernel
116s
Max time network
120s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1400 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1400 wrote to memory of 4244 | N/A | C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4244 wrote to memory of 3624 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4244 wrote to memory of 3624 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4244 wrote to memory of 3624 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe
"C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1400-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f7f9a1f2f66382acc65a061290ba5f04 |
| SHA1 | 6ac4dbed0e0489e9838f1cb8acec1d505e25de2d |
| SHA256 | f9d5e0817196061b67cc568d4792a55c5e8bf22b54e28f526efb9e062dfb8511 |
| SHA512 | 452dd256ef4439af62687ccfec1100d87c316ed2fa676be3d323c160bd0a6a4e6eacfe9c86560858453fe356f6fb804f9e03b9e090ce3f1518d603e9352fb0fa |
memory/4244-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1400-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4244-7-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3624-11-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 2d0772cb24774f91faafa5c182fb993c |
| SHA1 | 16b3146e2d6fcd13cacf01496f38b0e9232d4e95 |
| SHA256 | a7538fcbd69678da6d0f25c59ecaca7df44f33528b2326400830c4771e19bccc |
| SHA512 | f1ce0445c4d1768d8156531115c4f2a83b3c92ea26e9c15366014543ffaad4226aa06758afc337e3c7ea2ebb77c54ceac847721f99be787a5139968dfbbf1298 |
memory/4244-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3624-14-0x0000000000400000-0x000000000043E000-memory.dmp