Analysis Overview
SHA256
06d6b7a7a3a0e29902f581826dc400375327c0737f12e6c7155c6fdde56373a1
Threat Level: Known bad
The file a00fe3a2c55cd63807c35ccf89171830N.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 12:43
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 12:43
Reported
2024-08-19 12:45
Platform
win7-20240704-en
Max time kernel
114s
Max time network
118s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe
"C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2796-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2796-4-0x0000000000220000-0x000000000024D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bb782486b12b057300bc6245995d6649 |
| SHA1 | a51d6bd1925b7ceed4f312923b89b7af6b6c82e2 |
| SHA256 | 4023c822a006be70851c316d090eee3f3c51abc1575d4ea944c1fecc6ead86fd |
| SHA512 | d08a28c6b8e3c66aa687ccd4093137345e8f34c7d442adb13350d6ffbee99b11e0835f1df678385a8e816d990ac6b92ee05f1de3048047df90fe1b3a1cdb0b08 |
memory/2796-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2776-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2776-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2776-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2776-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 390e72c71ffcc0e42023f38bf000df78 |
| SHA1 | 4c076ac741c9af64adc727e3eb3a50e48d5b792b |
| SHA256 | 160c3f1642db81de6104a9c9fa07cfa3adaabe68c1dd95c1c7f2de72d6a623f5 |
| SHA512 | c7f26bfa1cc67a8c6732c0ceaa3fa0c577fb227c100ca20a1525f5f9f976eb6455a0a65f3f4dbaefb6c41cd672e1410f10f3041c690bf74d544cf3b8a4f0694e |
memory/2776-30-0x0000000000290000-0x00000000002BD000-memory.dmp
memory/2776-33-0x0000000000400000-0x000000000042D000-memory.dmp
memory/992-35-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2776-31-0x0000000000290000-0x00000000002BD000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b40ac8124b8a5210400154bbebf6fcc7 |
| SHA1 | d4b57b6b5906ab7f48d904e160cbfc691efafb7d |
| SHA256 | 719442bf2f0f25bbb3abf9bff516804d0d9d062362e7439c5df68bf4ebc52e2e |
| SHA512 | 011418046beb7d2754d1cf2a9f617bc4b2ba9f105a01de1c7296be3737c39c5f066e69251f5e8d1daf8dc185d74e9d8f07a1a05961bb6cafb9d1efa70e3c0db1 |
memory/680-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/992-45-0x0000000000400000-0x000000000042D000-memory.dmp
memory/680-49-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 12:43
Reported
2024-08-19 12:45
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
119s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1904 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1904 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1904 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1368 wrote to memory of 676 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1368 wrote to memory of 676 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1368 wrote to memory of 676 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe
"C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1904-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bb782486b12b057300bc6245995d6649 |
| SHA1 | a51d6bd1925b7ceed4f312923b89b7af6b6c82e2 |
| SHA256 | 4023c822a006be70851c316d090eee3f3c51abc1575d4ea944c1fecc6ead86fd |
| SHA512 | d08a28c6b8e3c66aa687ccd4093137345e8f34c7d442adb13350d6ffbee99b11e0835f1df678385a8e816d990ac6b92ee05f1de3048047df90fe1b3a1cdb0b08 |
memory/1368-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1368-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1368-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1368-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1368-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 26f62bb322a58c00b031516406a6c509 |
| SHA1 | 59d067e9d01f6a6df1f895f8dfc55a25269052bf |
| SHA256 | e138cd501a28ceeb522488bffaa8df14ad4cb46218bd650c2d6ad570fee392cb |
| SHA512 | 74b1251e4aff5ac9db236c68d0398380af587a46e7a46e27286c61e1b6cef962bed47b1a084389b4268b65e29dfaf28f37ebf12c4e3f5267e54be8f8374da76f |
memory/676-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1368-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/676-23-0x0000000000400000-0x000000000042D000-memory.dmp