Analysis Overview
SHA256
bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88
Threat Level: Known bad
The file bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-08 05:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-08 05:00
Reported
2025-01-08 05:02
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2396 set thread context of 2060 | N/A | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe |
| PID 1068 set thread context of 2008 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1568 set thread context of 1896 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1968 set thread context of 2944 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
"C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe"
C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 15.197.204.56:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2396-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2060-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2060-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2060-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2396-7-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2060-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2060-11-0x0000000000400000-0x0000000000429000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | eec076cdc82f43b08d721f79500c8074 |
| SHA1 | 9a6a6d9faef3e11b970f4e14c47f84384c36fafc |
| SHA256 | 3041bd8a974b30bc48fe113ea23488d0a1fdaadaf2a95bbfd9fb0e4c6c97c7e5 |
| SHA512 | 33f5c6fbeb43e7554c430a539bed59c6c763cd9106bc31e6d80414c11a1404f2b10514828073ad8233f4070b6766c9636b929fbc72dfab6561a2bd975c114a56 |
memory/2060-14-0x0000000000230000-0x0000000000253000-memory.dmp
memory/1068-22-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1068-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2008-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2008-38-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2008-41-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2008-44-0x0000000000400000-0x0000000000429000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 760dcd543bc76f45505418510dbb20d4 |
| SHA1 | 20d42774bade8fa97f0340f6cefea1e95002a7a5 |
| SHA256 | d74ed9aa8028b66f009ce009923a8b4a71a987976881e06ed65fe6671ddf95d2 |
| SHA512 | 074c8a90e8c1e409c1c42aa41a61a659bc2b33423a598e32c673556fca16a2e02f6cc62c9bf4db5380624c651f163ed273445083cf48deaf5484e2e3f6296f6e |
memory/2008-47-0x0000000000290000-0x00000000002B3000-memory.dmp
memory/2008-56-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1568-57-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1568-65-0x0000000000400000-0x0000000000423000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0b462464bd7de6a17b7b2f54feb7fb39 |
| SHA1 | c2436af62291aef7210a6acc9acc9a7359c6d82b |
| SHA256 | 544560c4cb53d759607eb3db14a89525e9f05bb3bcb1d47063f8261b5a2732a2 |
| SHA512 | 2ff0563719e57458adc399057aef4803076cf3c5428dcf5076b840b3b8d10a3ff03da5a2c5787904db66b3f1cfde066fd72e054d7da43515c6642497643cb340 |
memory/1896-71-0x00000000001C0000-0x00000000001E3000-memory.dmp
memory/1896-79-0x00000000001C0000-0x00000000001E3000-memory.dmp
memory/1968-81-0x0000000000400000-0x0000000000423000-memory.dmp
memory/1968-89-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2944-91-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-08 05:00
Reported
2025-01-08 05:02
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1208 set thread context of 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe |
| PID 2376 set thread context of 4580 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1644 set thread context of 400 | N/A | C:\Windows\SysWOW64\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1668 set thread context of 2372 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
"C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe"
C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
C:\Users\Admin\AppData\Local\Temp\bfc407eea9c173b06eb05a1ac70f561efcc924eff26d4564d48cce337334cf88.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1208 -ip 1208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 288
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2376 -ip 2376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 300
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1644 -ip 1644
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1668 -ip 1668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 268
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.243.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1208-0-0x0000000000400000-0x0000000000423000-memory.dmp
memory/3264-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3264-2-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3264-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3264-5-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | eec076cdc82f43b08d721f79500c8074 |
| SHA1 | 9a6a6d9faef3e11b970f4e14c47f84384c36fafc |
| SHA256 | 3041bd8a974b30bc48fe113ea23488d0a1fdaadaf2a95bbfd9fb0e4c6c97c7e5 |
| SHA512 | 33f5c6fbeb43e7554c430a539bed59c6c763cd9106bc31e6d80414c11a1404f2b10514828073ad8233f4070b6766c9636b929fbc72dfab6561a2bd975c114a56 |
memory/2376-10-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4580-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4580-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1208-18-0x0000000000400000-0x0000000000423000-memory.dmp
memory/4580-19-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4580-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4580-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4580-26-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 6bf2f9d529618cb42b7a63bf4f58cb0b |
| SHA1 | 192ffb196db7c590b2cfe78cf4085bb93df9d26e |
| SHA256 | dd49f3ad67a168027701202a5e8cf59e6d57caf87a919c0f5d94c1f5df4dc075 |
| SHA512 | b652bc1585d0bc3dcb88dd946ddecce80e6cdde29a0e56a6c75ee67b64828515d775ba0ca15b71bca35006e64cf737495506ca141c606f92191bd6438fe62323 |
memory/4580-29-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1644-32-0x0000000000400000-0x0000000000423000-memory.dmp
memory/400-37-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | de15dcf32241852c2dbc133f6860052b |
| SHA1 | d62e94bde2c32c8d2f4c0c6362f53d89b6d245c4 |
| SHA256 | 830980b0e36b3a30e8f0467fd31f97acdd71b51eca1124ea1d16786b573d2a70 |
| SHA512 | 6929ceef0f8644fb670a8834f6766f5e87ce07d28b8eeae4b871664793bbdcbe6dbada8d960ef758af20551f389699c71de3fb520ec617c90b853d173fb4352b |
memory/400-42-0x0000000000400000-0x0000000000429000-memory.dmp
memory/400-36-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1668-44-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2372-48-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2372-49-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1644-51-0x0000000000400000-0x0000000000423000-memory.dmp
memory/2372-53-0x0000000000400000-0x0000000000429000-memory.dmp