Analysis Overview
SHA256
feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707
Threat Level: Known bad
The file 4f8b5ded61b51de6d2d27f0e2a473a30N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 12:42
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 12:42
Reported
2024-08-19 12:44
Platform
win7-20240705-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe
"C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2112-0-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 795a05ea0a425d39884d9c4208eb97c1 |
| SHA1 | 3c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d |
| SHA256 | c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17 |
| SHA512 | 55682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a |
memory/2112-4-0x00000000003C0000-0x00000000003FE000-memory.dmp
memory/2112-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/580-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2112-10-0x00000000003C0000-0x00000000003FE000-memory.dmp
memory/580-14-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | ae6f0b928ca26be64f734eb0ff37ae6e |
| SHA1 | 511ff1c9568b6e90f3aba9ef366bf540b6f12506 |
| SHA256 | 4d959b2f8ce32d54e5717a915a6f66f4e0eb2d005615424cb370f9412c072613 |
| SHA512 | cec89a4f6f578711f969cd01d2636adc3dbccd3e4679d9c80cbe8c99a26e37dfb1b859a1482b4d1288667f82da29329e730defc48673d512becb92adaf657a98 |
memory/2420-29-0x0000000000400000-0x000000000043E000-memory.dmp
memory/580-26-0x0000000000400000-0x000000000043E000-memory.dmp
memory/580-20-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2420-32-0x0000000000260000-0x000000000029E000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6820478f28bae667442e0ab68a7c6def |
| SHA1 | 82f1f543fc7a3acc19db33a9df8030daf521b817 |
| SHA256 | 854a233b0716bee7324222f319a9a755b953082a5b8e7a44669914e4ad852c7b |
| SHA512 | 764ff72cffb930dab70b468c1b749f2e57844f661e412d9cb5b097f64b2e2b91fb9a62ca7cba9edf36f9e6bab1b1087a901eb8e43357f943b14656d216cde42d |
memory/1808-38-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1808-40-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 12:42
Reported
2024-08-19 12:44
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe
"C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/3104-0-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 795a05ea0a425d39884d9c4208eb97c1 |
| SHA1 | 3c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d |
| SHA256 | c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17 |
| SHA512 | 55682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a |
memory/3852-4-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3104-5-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3852-7-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 33fd7f7ad2095c91d62e0c5ae4268ce6 |
| SHA1 | 9274a1d9ba6c9fc5ed6e15e4087395c504946a78 |
| SHA256 | 12b68ec9ce77ffd5d923d4b8b000cd739b2550b9ae84c57387be752064fa783d |
| SHA512 | bb5c391e9f99331784fcd19b0d0b5a7db699a7c64a60c996f85c7fd0b44ecc74cdc7c597c348397ff41675a26e6d4c6072b7a831ec0eccbd715f336322f2e935 |
memory/3852-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4916-11-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | abd192b4a64298a5427850694a21ef96 |
| SHA1 | 8f26e4876a37fbf6142ecb91f17fc441716c5987 |
| SHA256 | 334b40a9df4a5e027483a0c44f70fbb00779801aecfe355a5646ef3b01205546 |
| SHA512 | a8d8f49b3af76eaf684eec4ef0abf671e1bc8390924979dd73df7e7a95f6eada2246553a0c9c9e75ad31a252e0a58005c9907fb608be0b97e57e9e94f38dd6a1 |
memory/1668-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4916-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1668-20-0x0000000000400000-0x000000000043E000-memory.dmp