Analysis Overview
SHA256
16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd
Threat Level: Known bad
The file 16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 19:02
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 19:02
Reported
2024-05-19 19:05
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe
"C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1936-1-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ddbaeb99c7021758c48b682e11b598af |
| SHA1 | 533ca988026b16b6317e31cd2c5f763ee5d52259 |
| SHA256 | d53287ccca304154bca58948dfa803304359531f552ff15c02923e63a12acc74 |
| SHA512 | 0a2e0194f6584471c3dca67cb7eb6b90564e375e623dc6d90e450dde43b8a96d747424c4706ddf079401aa66a3809e9f92c43cf72295a12568f07d8ca818a8c4 |
memory/2092-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2092-11-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 85971e20f54074fd519712b62ba889c4 |
| SHA1 | f143d1e8d73dc3614348bef24bacd1d5f3312b8e |
| SHA256 | 502c94c742faed269d83fd0091ab1aaf81de3a99afcaafb4391a0861b88fbdaa |
| SHA512 | 08153da7d1d5a442355863a8e9cfffc22b4beb953b7f48d675b2269c34bd24cd72c224e298c1df73bb2488fdb4f63354f2c03364abd3333930a3262374a6f12c |
memory/2092-16-0x0000000000530000-0x000000000055B000-memory.dmp
memory/2092-22-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c9cb798465e20aba072d6dfb7387104f |
| SHA1 | a0fab0477695fc2e9caa6302e33144f3aed1216e |
| SHA256 | 4c24877ef306b934e93af990132554947ca6548718bd32b84ee59a29d4baf6fa |
| SHA512 | dd013b345750d492aa4d4b4233bb3dd55c52f923aadf70440784736fa87876bef72e219dc22a9dd8be77ced2d4dc6bb82709ead8ab714797e4c51bbae9aa7854 |
memory/2368-36-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2964-33-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2964-32-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2368-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 19:02
Reported
2024-05-19 19:05
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1688 wrote to memory of 1528 | N/A | C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1688 wrote to memory of 1528 | N/A | C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1688 wrote to memory of 1528 | N/A | C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1528 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1528 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1528 wrote to memory of 2344 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe
"C:\Users\Admin\AppData\Local\Temp\16cd8fc0620e6eb5a8d341d0ce8b3bc8d7a6861e3eda2e4492bd6d5bc9645cdd.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.211:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.211:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1688-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ddbaeb99c7021758c48b682e11b598af |
| SHA1 | 533ca988026b16b6317e31cd2c5f763ee5d52259 |
| SHA256 | d53287ccca304154bca58948dfa803304359531f552ff15c02923e63a12acc74 |
| SHA512 | 0a2e0194f6584471c3dca67cb7eb6b90564e375e623dc6d90e450dde43b8a96d747424c4706ddf079401aa66a3809e9f92c43cf72295a12568f07d8ca818a8c4 |
memory/1688-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1528-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1528-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a34345b5f45a6888424bddc3dd4762fb |
| SHA1 | 0b6ac8ee6a826e41cfc1b249bae76d7670a0b22f |
| SHA256 | ea0142b84cb0fb339196b37be2c51b9c770391eca2e8a754abc33c3ab8037a1f |
| SHA512 | 5ed7f0fd1afb5e60b27b4233ab389bcac3115a28abfd776693d53b83d8c5babdc213db72bd2be3aef7685daed67997ed2a429205c66054634a7bd2ba167d52b0 |
memory/2344-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1528-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2344-14-0x0000000000400000-0x000000000042B000-memory.dmp