Analysis Overview
SHA256
4cb6f4971f521c34fd0b117fe667e17dd2202b4e0447df1f1c55f78b8252fc51
Threat Level: Known bad
The file 9b4365610bf5ba273c19d4b6b59ac470N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 12:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 12:24
Reported
2024-08-19 12:26
Platform
win7-20240708-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1152 set thread context of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe |
| PID 2804 set thread context of 2560 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2896 set thread context of 684 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2184 set thread context of 2948 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe
"C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe"
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1152-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/892-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/892-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/892-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1152-7-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6123f4b0759183e2454f5cc37764fbc2 |
| SHA1 | 47cf4c7aaa51499809b7c9367ff52620108b889c |
| SHA256 | 827082545570a3be54af7070942aa80eeb715c084a7769631a6f4da2b0dfa6f4 |
| SHA512 | 503a34691cf99e9c58365df90ef1be3698f5a7b2093ef5712f32598e855373f343b2be4aa138e2f353a7651c549800da9a7d0dd211dc6e5d0049f859f565d67a |
memory/2804-21-0x0000000000400000-0x0000000000423000-memory.dmp
memory/892-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/892-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2804-24-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2804-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2560-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2560-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2560-41-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2560-44-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d0d4388594bdc7a972a839e61316d9d8 |
| SHA1 | 3e5d2d902b7bd43ce57b1738182913f5e6169c99 |
| SHA256 | 83f97cb3904c8c614e0437e454a86aae05de73ed7da3bf0079e513b01640cf78 |
| SHA512 | 52b7bf37a84de2c62c25362e930a7f27a3d1141f2b276bb926c064dc89a845107683962baa0d2ca1a388ba335370c0253f1bc7fbdfaf518161a60dcb035ca2a3 |
memory/2560-55-0x00000000002C0000-0x00000000002E3000-memory.dmp
memory/2560-53-0x00000000002C0000-0x00000000002E3000-memory.dmp
memory/2560-57-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2896-58-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2896-67-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2184-81-0x0000000000400000-0x0000000000423000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 19e259a2635674dc70fbcde2f1b6a1e3 |
| SHA1 | 18c3fddda01c6396b130062035b411be35dfd785 |
| SHA256 | ba58a831a5e8fd5272c5dd14230080236444c6bc07d5f2f9883933cffa891b24 |
| SHA512 | 1e4d74861121039184d4cd111dc8d89e9b7b751b3abb2d0850d673898ba88c2bb8c0c667feaed3c0bfd91530a554ccd54cd699e6d6d6e838fdfe87946d9b9bf9 |
memory/684-73-0x0000000000230000-0x0000000000253000-memory.dmp
memory/2184-89-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2948-91-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 12:24
Reported
2024-08-19 12:26
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5072 set thread context of 3076 | N/A | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe |
| PID 2504 set thread context of 3952 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 936 set thread context of 3408 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1244 set thread context of 1620 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe
"C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe"
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe
C:\Users\Admin\AppData\Local\Temp\9b4365610bf5ba273c19d4b6b59ac470N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5072 -ip 5072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 296
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2504 -ip 2504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 296
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 936 -ip 936
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1244 -ip 1244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 244
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/5072-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3076-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3076-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3076-3-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6123f4b0759183e2454f5cc37764fbc2 |
| SHA1 | 47cf4c7aaa51499809b7c9367ff52620108b889c |
| SHA256 | 827082545570a3be54af7070942aa80eeb715c084a7769631a6f4da2b0dfa6f4 |
| SHA512 | 503a34691cf99e9c58365df90ef1be3698f5a7b2093ef5712f32598e855373f343b2be4aa138e2f353a7651c549800da9a7d0dd211dc6e5d0049f859f565d67a |
memory/3076-7-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2504-9-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3952-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3952-13-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5072-16-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3952-19-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3952-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3952-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3952-26-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | e754a9a6334f5f71bdadf81fc70d654a |
| SHA1 | 87328da67525e42e389fb75ff491a5407ad2163e |
| SHA256 | b96a320b2e57d248fdb55e66dce2fa724871d989f1140cdb186dae65bf336412 |
| SHA512 | 662aae1c81ef9aa5560030b1f81e9d92ebf7e0e8381110d786536aba6d3c2653b9e3f64d2f7d52b82d884e3675246f679ec597c3c5c3a0ab43908d486fde21cc |
memory/936-31-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3952-30-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3408-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3408-42-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4ed0c620a9ecc72f57296023bd98b112 |
| SHA1 | de56fb87ea9262abfb6197f49a72c18c7f12852d |
| SHA256 | e73c9132108393b87978c5079d2068264b60fc81fd5a2fbcb41c5172bc7ce917 |
| SHA512 | 9da09c2809841e9fba0069a723c64286c159c1617ab0707bec04b20c36eec7e24db4edcf3407180b6dee6efc77bb269d18dc97fbfe3195f9435987308164f331 |
memory/3408-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1244-44-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1620-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1620-49-0x0000000000400000-0x0000000000429000-memory.dmp
memory/936-51-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1620-53-0x0000000000400000-0x0000000000429000-memory.dmp