Analysis Overview
SHA256
1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b
Threat Level: Known bad
The file 1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 19:23
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 19:23
Reported
2024-05-19 19:26
Platform
win7-20240221-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe
"C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 310d9a10351692f0e7c4a9b904813146 |
| SHA1 | 27b813a9eee71d69366abe8f2a1db700742310e3 |
| SHA256 | 29b04df61232f68789882af67f0467133ac23128b117d77197f832579fea2ca5 |
| SHA512 | eef492b73f4353662b4a1ecf276463ee27bce1b16bdb35209f8d09180734d65d4bc6e05dcc923c40db748384f1672111e07218be5dfcd232246f557936365780 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 3fe13d3e06c87c36d1969a83aeb809ed |
| SHA1 | cfb8211a3f81d9df6b73f553e0357e9c3b698c75 |
| SHA256 | dd95954a0212415c206bac516767be4b9f798c8df44ad8643376efc1de32d22b |
| SHA512 | bf613fce84bd3eb3e0bec5e0c49b3b83da1c34191d57bda47b8b89b6140d271201a07c10a70b87dd46b428680e34b3c84d2e050f05209ce0a2bae00312ae3628 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0e982cf4973d9a1f212dcbbd7212f286 |
| SHA1 | 72c891be5ddb1a0b47db0a3a81739f2730c8ea3a |
| SHA256 | e65e6ae10624d87af1421d94944761c5b3eada98e97d0499cd74e1c997f03251 |
| SHA512 | 8b4d616098980651cecf3069cdc21b79591c41703e64e3cb2b77dd17ed0f6e7cfb1680e0e155ab78c06cfbdd4d7559fb332af42352928146bae49f34bac84335 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 19:23
Reported
2024-05-19 19:26
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe
"C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 310d9a10351692f0e7c4a9b904813146 |
| SHA1 | 27b813a9eee71d69366abe8f2a1db700742310e3 |
| SHA256 | 29b04df61232f68789882af67f0467133ac23128b117d77197f832579fea2ca5 |
| SHA512 | eef492b73f4353662b4a1ecf276463ee27bce1b16bdb35209f8d09180734d65d4bc6e05dcc923c40db748384f1672111e07218be5dfcd232246f557936365780 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | daf50a5f047b682a4c7b9af1df4a25d8 |
| SHA1 | 0a4d80073efaff5052bbd6ae1fcd2a77e9ae395e |
| SHA256 | 4b05d90e4565a5e74e4f34785f905fb0a783a9490f265a19faf2e28da11de5f5 |
| SHA512 | 691ee912113c8df2d36ef951430a69bbdfa8bb8238f0782977522098e04c17a7f7372cf4b49d2834347bb108bcc85e5dcdca4ccba1fae0284a812fd08402355c |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f0b182a50c71faf153fa19121ee7c3e1 |
| SHA1 | fb4b07b8fc1feca4360f571abeb380553c7a141d |
| SHA256 | e52e12071ffc37f9c134a4b8de43122f57621db344ba7c04dd60975110c4e647 |
| SHA512 | 4cf9020f3eedbc54282f35ff4e30c73ad8194d776a52b28a1ea019b551c845ceaed5fa34b802f4ef6b2933d315fd35701f7479ea2c3ce2cd73730c29fd17d7bd |