Analysis Overview
SHA256
65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660
Threat Level: Known bad
The file 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 10:13
Signatures
Neconyd family
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 10:13
Reported
2024-10-31 10:17
Platform
win7-20241010-en
Max time kernel
85s
Max time network
125s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe
"C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 15.197.204.56:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b2efdd7070e9ca2edc770f508c705ffb |
| SHA1 | f7fd589f8e939506f1e30b5cceebd3bbdae7002a |
| SHA256 | e8cf27d1567cafecf427e2cca3ec6c75f21e3789248a9bacf3d2c41269456cbb |
| SHA512 | 5a8eae141727f11ed598eef7e255f4819f31b6d386cc9f2b83a816b2f971d53c45606c2bd243d397f21d0d598879b61b75fb44d2748463e971fdd3671234288f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 2a49c87b068857d8ece66848480eef0b |
| SHA1 | c3fe5d871ef0058e14534767fb2cf861a501a753 |
| SHA256 | 08e319bec723fc8de14b82dc58a639609de57a082cf1d7334d9535eefeb4b825 |
| SHA512 | 1c7d0aca6afc681073a199af8471703de1b9e679ba94597004364c42723cde1f1ebc04a5b4cd549a2ee7d4bcd82a69ed6442fc8f1c4c98745c62ffcc6e26c32b |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ece0417594aaf2f1480b46319ebe7de7 |
| SHA1 | 40d70e6dd13cf4c6a7843b6a4110fac507be6c09 |
| SHA256 | 6c027ec55eb76d9a35b9c4a14210277ab648f69852fb72b5084e2d850191be8c |
| SHA512 | c9b891b696fd9d219fa77dd685893be0e23c0094f3070b5b529259f687f0e597ee632b1a2c69c55443b3d3df340d2e67265f36ba0805d314ed148d93e8bb007a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 10:13
Reported
2024-10-31 10:19
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
104s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe
"C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 145.243.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| FI | 193.166.255.171:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b2efdd7070e9ca2edc770f508c705ffb |
| SHA1 | f7fd589f8e939506f1e30b5cceebd3bbdae7002a |
| SHA256 | e8cf27d1567cafecf427e2cca3ec6c75f21e3789248a9bacf3d2c41269456cbb |
| SHA512 | 5a8eae141727f11ed598eef7e255f4819f31b6d386cc9f2b83a816b2f971d53c45606c2bd243d397f21d0d598879b61b75fb44d2748463e971fdd3671234288f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | fcd46e504f6189094450df42a943abeb |
| SHA1 | 93527071cae2e012ce18a2ce9ac3475d5e71c07a |
| SHA256 | f4a798a011662ec70ec3c67df78b215f6ed3343826e07d57e1f812f16c6e3bcd |
| SHA512 | 7932a601cba8f6922c3440ff032a4221a0f85fdb8624854c395797cb9043ccb0aa9b0051185df4df19835cc67e36f3e7b42410e8e01d8c89b7734c89d3f0ce4d |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 624fe7b65e496655894d615bc1ce69c3 |
| SHA1 | a544911f430103ed1ae0178e7791118570bbfcf9 |
| SHA256 | 6d93dc9796783c05a712d76ea7b430c449a496236aaa745377a5d5eb26817272 |
| SHA512 | 4add86cd85edcdd29301bbca27eaf0ce272a4838c7a9d2d265b9d1acc220bca8de376ff15a2b28651e37d3823c21be6462d776e04ea5e1593b6f0cf8cbad18f4 |