Analysis Overview
SHA256
27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730
Threat Level: Known bad
The file 27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 08:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 08:16
Reported
2024-11-04 08:19
Platform
win7-20241010-en
Max time kernel
148s
Max time network
161s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2744 set thread context of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe |
| PID 2912 set thread context of 1848 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2072 set thread context of 2960 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1632 set thread context of 332 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
"C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
Files
memory/2744-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2392-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2392-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2744-7-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2392-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2392-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2392-1-0x0000000000400000-0x0000000000429000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fd29e3ec0adbe41ec0dde8fcd181fbfd |
| SHA1 | 8e25cb8af3c2c6593da992f1c0ac5db70878700e |
| SHA256 | f520ba7918e49c64bf627b4f17073694e0657348c2f2c4f06e30d4cdea4aac7a |
| SHA512 | 351ce623d44933e9f02c15c3cf7c3933200457ee56a300a02a15250cc9aa2392a55d3f974ddcde7317c3de4b87c34c7ac5f566face55bfd91c73c42304112fc3 |
memory/2912-20-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2912-29-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1848-31-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1848-34-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1848-37-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1848-40-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1848-43-0x00000000002B0000-0x00000000002D4000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 592458d3ca974a55d54d915129518415 |
| SHA1 | 46cb162d598226076478a839f5a3e65e35e87890 |
| SHA256 | 8a34ab8ea2f67798a0758b98d8eede86e0420864f7a60ecf114f0f9cfc2b9edb |
| SHA512 | 7a4928d65a76db1768f6a380e33e7f0781aebc0c5f1918ae8e7783005cecae27623ee500f91de533d3148af3ec36513b874f7412f2feba929ff6b8db2947fc4e |
memory/1848-50-0x00000000002B0000-0x00000000002D4000-memory.dmp
memory/2072-54-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1848-53-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2072-63-0x0000000000400000-0x0000000000424000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 783be9f53f8739747f523040fe3d4a5c |
| SHA1 | 8ca46ba5c49e685d13d73b77d38dc9d3cacc504f |
| SHA256 | c36cfdc109a6123703fcd7863df6a0e2b9fcdc0458961f3c3fa831b57ea525eb |
| SHA512 | 002bb3abdb67772c779efe74d1c1287b9cc38b2922ff5aa214fb57a2f9d846e2daceca5c192cee84969710e20dc761757f99513aac0c7c793c16c2456a16b46b |
memory/1632-76-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2960-68-0x00000000003B0000-0x00000000003D4000-memory.dmp
memory/1632-83-0x0000000000400000-0x0000000000424000-memory.dmp
memory/332-85-0x0000000000400000-0x0000000000429000-memory.dmp
memory/332-88-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 08:16
Reported
2024-11-04 08:20
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
157s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4356 set thread context of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe |
| PID 2152 set thread context of 2728 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 492 set thread context of 4952 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4848 set thread context of 4812 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
"C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe"
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
C:\Users\Admin\AppData\Local\Temp\27d7de0e5fb13a719367aff96a0d5c32d7e0ac8514962b5be62ea50323ceb730N.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4356 -ip 4356
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2152 -ip 2152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 288
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 492 -ip 492
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 292
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 260
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 145.243.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4356-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3952-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3952-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3952-3-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fd29e3ec0adbe41ec0dde8fcd181fbfd |
| SHA1 | 8e25cb8af3c2c6593da992f1c0ac5db70878700e |
| SHA256 | f520ba7918e49c64bf627b4f17073694e0657348c2f2c4f06e30d4cdea4aac7a |
| SHA512 | 351ce623d44933e9f02c15c3cf7c3933200457ee56a300a02a15250cc9aa2392a55d3f974ddcde7317c3de4b87c34c7ac5f566face55bfd91c73c42304112fc3 |
memory/2152-8-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3952-11-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2728-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2728-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4356-16-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2152-17-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2728-18-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2728-21-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2728-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2728-25-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b327fd67ef32a48c000590090f56b74e |
| SHA1 | b80c17390e9852a0dff1a56376eca86f25f24d7e |
| SHA256 | 13311b523cc417d9d62fc81a82982dbc68f125e4ca9a85edbe1ef19123b5dc58 |
| SHA512 | c5c81ca96e204bbb227895ff917410d5bc342894425f278f684ec08bab54ecb547d132de4392015b72f73088a31342bcf9c8ea20144aa646ea6f1e95dda2cd4a |
memory/492-30-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2728-29-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4952-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4952-36-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f5a469f906b30de607ca24694ae3c1dd |
| SHA1 | 929c446f2e726e08ba4b8a3700fe14cb4ec5479d |
| SHA256 | c9633beffc2b7a83295b5b98dcbdf48824ffe64fbc14707471e2b4025c148e3b |
| SHA512 | ab05562f2a6ba43ed2ce065338674505298643f338c47caa1bcb97870be7447e6019f2bedaf3c7e33cb7a19bfc23aed25831bddfd899d4d3aa032f06f561fb94 |
memory/4848-42-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4952-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4812-47-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4812-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/492-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4848-50-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4812-51-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4812-54-0x0000000000400000-0x0000000000429000-memory.dmp