Analysis Overview
SHA256
3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d
Threat Level: Known bad
The file 3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 20:48
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 20:48
Reported
2024-05-19 20:51
Platform
win7-20240419-en
Max time kernel
119s
Max time network
129s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe
"C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | db6ff8d832660f61d66a6f5a22fd9830 |
| SHA1 | 88594363b258506bc228e2d6dc7b95e1173a16c0 |
| SHA256 | bb927993eae2d22117651936ded9f7f7a00d964ba42acf8975af8fdfb831c8a5 |
| SHA512 | 638baf7fd32a6c8021046e0161edd82aa836fc2056e431b76917d09676a4982f2eab18eccf57242a7fe535f7447c293e7af5abe068a5621c177b277956cd1bb6 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 15358bbbaee7a5629bb0ab8a06a20d9a |
| SHA1 | b222268c5e0d6b8a2d9865a2e7542a1064c296af |
| SHA256 | 374cd60d5987a93e3a477dc21aa1989f2524cee2c7595ca10f8efde11c70ec66 |
| SHA512 | ac505f34f632a55ea10aba05b9a6a04e477a17539173c6eea746a0faf2db164b67a73cb27c12e7111e9f520cd4be1b7eab71d98df30892e14a49417d617f3a2d |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b1e82e612338f5c2d997a8be52666a5e |
| SHA1 | fa8d6f22d1e4e1f6dda94d03fe19f374d8f46600 |
| SHA256 | 009f78164c8b64e6e59b7e6a0988e6efbc8ae815e2171433aecfd44771563de9 |
| SHA512 | 1f53666846fe5c44a2f6d77a559defb22f083aee673d6d268a8988e5c8951637ff709314dfc3e3e033aa8a3ac26d81d5d0dee82157a4deb5529b94c2f3b3e81d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 20:48
Reported
2024-05-19 20:51
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe
"C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| BE | 2.17.107.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | db6ff8d832660f61d66a6f5a22fd9830 |
| SHA1 | 88594363b258506bc228e2d6dc7b95e1173a16c0 |
| SHA256 | bb927993eae2d22117651936ded9f7f7a00d964ba42acf8975af8fdfb831c8a5 |
| SHA512 | 638baf7fd32a6c8021046e0161edd82aa836fc2056e431b76917d09676a4982f2eab18eccf57242a7fe535f7447c293e7af5abe068a5621c177b277956cd1bb6 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 76e19677010c78c57b3c9af916180646 |
| SHA1 | 135b4c686bd44bc8d73d9ee6a53184e2a5db2815 |
| SHA256 | 318738b94698f899aa3ceda10badf411216d39cbb4ca46253f0ad902f8b2f6d3 |
| SHA512 | 6daf1917fb27cce4d6b4bad554163a5370e8ce31965fe714012b13a2013596cbc8fe23bc0d97c5eeab6c8b793a2b55d80052a00b9beb75b21f1f53664092f432 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 176dd97dfc3f6d3d02c2113447701433 |
| SHA1 | dc69ae9eed6b0431f2a33cd83e5c9bbc2c373c9e |
| SHA256 | 1a64dbf0384ddacc72a9392d12e86506e32c2f1890d0f339de50acc05c6d1917 |
| SHA512 | 85513e63af42d9e7d914fd33fbcc0df689454566276f947676245dea216d7187c70de3f004c3a7cb4d083240be331cc12797347c56bb7494691bc6f8f54f55fc |