Analysis Overview
SHA256
50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0
Threat Level: Known bad
The file 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 21:34
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 21:34
Reported
2024-05-19 21:36
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe
"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 540b9b67841d4199b21880644c909be1 |
| SHA1 | 529a68d19b90f49eeb0275660661734dd0071abc |
| SHA256 | c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b |
| SHA512 | 18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 0d527f37cfeed9b2c20416a8ee34750d |
| SHA1 | 37129a3759cf88a97daf9d218d44601f2dea7db9 |
| SHA256 | 0f3b9e3a64376b0e21ab5c67de30922df466127b5027f49307817817739e1843 |
| SHA512 | 471f6a7ea25eee0b476e330b8005b70a0617eab20786e0c85f62ae7636c5f316143d512d57348433e111d94f97997e627337e8a92512af47fcabc8aaadac0b7d |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 05fc9aab25226c1f2da96dfa8682a93b |
| SHA1 | bd1a7116b2f15e2927d15346ed2abe19fdae02c3 |
| SHA256 | e7dc95a8ea86d54e96a915dcfd13878f52276563ae97f16c567286567e342f58 |
| SHA512 | e621fc57387a6d696184f915583be15e409b4d22975329c49cd1a9a2f9cdb2f9ebca3e369abb83a6fd58fb84e7f2ed322bae00e8908082321851861a6969fe77 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 21:34
Reported
2024-05-19 21:36
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4972 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4972 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4972 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4964 wrote to memory of 3176 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4964 wrote to memory of 3176 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4964 wrote to memory of 3176 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe
"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 540b9b67841d4199b21880644c909be1 |
| SHA1 | 529a68d19b90f49eeb0275660661734dd0071abc |
| SHA256 | c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b |
| SHA512 | 18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 1de9e1c6719ac9d020b79eb85aa3951f |
| SHA1 | 08ee657ab95b829d8730232278e20f9a10b5fcaa |
| SHA256 | 078d8748c33fd6e646a6b7a7970bf2d1f2f89089ffa13fb34d4848bff1bd2608 |
| SHA512 | 93b727ef35e3601b15c36651e303bc130b8f119cf960bb478e8568808fbb3e95d69149fc7490da459a730cd29a815b5c111f410b7271ca1ff7ed6c423f46e0ed |