Analysis Overview
SHA256
8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b
Threat Level: Known bad
The file 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 23:50
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 23:50
Reported
2024-05-19 23:53
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe
"C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 104.155.138.21:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2988-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2a27191f0dfc9299ba6b3173548ed99a |
| SHA1 | e2c92d92a9883162287295e37bd8b0dfd42b8452 |
| SHA256 | ecea83e57434f4c6428ba071790cf9c6b5e7fa0a93b5add3abd08868cbe422c2 |
| SHA512 | 2873fb59637cbdf76a3bbf29f9bcb2958527d1fe5aebdd7117e6aa81516d21a0fe9a73beb37cece0ebf11cd4a2f7b95e21d55c023799509677a54da0dad423ef |
memory/2988-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1964-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1964-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | e66f2d96e95f784919c5ec7f904c7843 |
| SHA1 | 45a181e41bc464272874ec19fa8c46f6898f36c1 |
| SHA256 | 99b4dfdf381642f85d32772759bb9a0efb476d286ce5cb63564ae392165dbd1b |
| SHA512 | ee432d3deabd74a5d5384f4b23e2bb696016485563e7c671e88d3066b4abc651ecb6788bb73776dd98230c18afe84f1b284766c3a34cbef5b8db32393d58b9f4 |
memory/1964-15-0x0000000000310000-0x000000000033B000-memory.dmp
memory/1964-21-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2692-25-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c80865ea75fcca4187e888cb33d32115 |
| SHA1 | b444ef642018a0358e8c996580efe4c017235f83 |
| SHA256 | d03e60079cfdacdb6a0892e3817b56ef71e9f055981e5d990fa6286ef9398cd7 |
| SHA512 | 3c78bd4d4f97acb6416f39a8d34cd5b111df9d62e86aa911dd793e2fd7d7038673d0023eb26477b6edb200ec1196d03a2a158b5d3afca88d9e78c4afe63c323b |
memory/1868-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1868-35-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 23:50
Reported
2024-05-19 23:53
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe
"C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 104.155.138.21:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2a27191f0dfc9299ba6b3173548ed99a |
| SHA1 | e2c92d92a9883162287295e37bd8b0dfd42b8452 |
| SHA256 | ecea83e57434f4c6428ba071790cf9c6b5e7fa0a93b5add3abd08868cbe422c2 |
| SHA512 | 2873fb59637cbdf76a3bbf29f9bcb2958527d1fe5aebdd7117e6aa81516d21a0fe9a73beb37cece0ebf11cd4a2f7b95e21d55c023799509677a54da0dad423ef |
memory/744-1-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1564-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1564-6-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 59b719d9cb0cec45d20a7dafd2b5cdd3 |
| SHA1 | d5afdcea6550766a235cca0167dffda7b5cf90c7 |
| SHA256 | f695128ac266234ee50fd296c9910c8f94a07c8a6cbf184033fe99ab865b4fe9 |
| SHA512 | c6db6c601536e3897bf3514f077be77d2677e37d6a37634c1811ee5fecf96faec383f62bdaec65c23c0316a15f5feb317bc9a3443ec7af30b0c4e03e6127a01d |
memory/1564-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4768-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 97222e1edc2628a6c308311e21183124 |
| SHA1 | 869bab22c55cbbd176768315d563c00df0cd7415 |
| SHA256 | 4a4207efdf916748feda5ec281d1bf7ed99a36edec56ffa87006a4bc316063d2 |
| SHA512 | fe6caae00be0dca45a52c27b4b50e391dac3ba69940615d422f63015fb4a5dfaa83e57097e089f7c282b22ee66fbf3854f51a0df300381fb7bf6065b5a2dd248 |
memory/4768-16-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2732-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2732-19-0x0000000000400000-0x000000000042B000-memory.dmp