Analysis Overview
SHA256
4967af89b53c19b88a83be6df715f209e3c272b6f624e72248ac17a1d1b035a8
Threat Level: Known bad
The file 4967af89b53c19b88a83be6df715f209e3c272b6f624e72248ac17a1d1b035a8 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 22:01
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 22:01
Reported
2024-05-20 22:04
Platform
win7-20240221-en
Max time kernel
121s
Max time network
131s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4967af89b53c19b88a83be6df715f209e3c272b6f624e72248ac17a1d1b035a8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4967af89b53c19b88a83be6df715f209e3c272b6f624e72248ac17a1d1b035a8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4967af89b53c19b88a83be6df715f209e3c272b6f624e72248ac17a1d1b035a8.exe
"C:\Users\Admin\AppData\Local\Temp\4967af89b53c19b88a83be6df715f209e3c272b6f624e72248ac17a1d1b035a8.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/1688-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1616-11-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 83174a846138a0b3b5f5af8df2d8400e |
| SHA1 | 41fa3515fefa3670e60427f002204892b9061a9d |
| SHA256 | 5db64da7e939de2fcdad55f2f8a2bf44ff813bd741824344ba1950c006316ab2 |
| SHA512 | 87464c08bb717c3a30b1fbceecb1c2d7c53dc1ed662713a38789bb33f770767a6807f112219131f73132d1ed32b9e1bba1f952ccdfc938804b320c5fef353cf1 |
memory/1688-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1688-8-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/1616-13-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 009b76ca728ebc8ab48eacc7581495f7 |
| SHA1 | 38eaf8d2a059884ea9f222bb000a62b5697b8f97 |
| SHA256 | 9de2c72d54fe3022c06cc18fa9677896c1d5363581c42a4fee3ba1701e448875 |
| SHA512 | 1717c7603af0bb4390522aee638082e46bf3549e4cd9b920fe1a7d64618bea1af2a37b2c6e4e4e6101da4d8954e0fe02d7a4890be8de5d5b15b6bcf8da365535 |
memory/1616-18-0x0000000000290000-0x00000000002BB000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0db6b07cadc0951d4dcb66d5b1e5b5c0 |
| SHA1 | 4aaebbe2614b21e491433a25c892849a9bf16feb |
| SHA256 | 84b06bd9384d3278476851c2723daa20e1a8805e3f12289705738a2ac148f7c5 |
| SHA512 | 14d5eba4408224774b2d4882ea17447282b0ba4956658e86c10bb545617d42acc4d7ac0ba0580171442f5077cf5e070a75cc81202d58c0c267ade46bc20dd243 |
memory/2348-28-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2244-37-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1616-24-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 22:01
Reported
2024-05-20 22:04
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4967af89b53c19b88a83be6df715f209e3c272b6f624e72248ac17a1d1b035a8.exe
"C:\Users\Admin\AppData\Local\Temp\4967af89b53c19b88a83be6df715f209e3c272b6f624e72248ac17a1d1b035a8.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1612-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1612-4-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 83174a846138a0b3b5f5af8df2d8400e |
| SHA1 | 41fa3515fefa3670e60427f002204892b9061a9d |
| SHA256 | 5db64da7e939de2fcdad55f2f8a2bf44ff813bd741824344ba1950c006316ab2 |
| SHA512 | 87464c08bb717c3a30b1fbceecb1c2d7c53dc1ed662713a38789bb33f770767a6807f112219131f73132d1ed32b9e1bba1f952ccdfc938804b320c5fef353cf1 |
memory/2252-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2252-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d9df07559dfa418eccf783d368625927 |
| SHA1 | c0d84a4f1394d96a00a6f8baf4504eed973b38b1 |
| SHA256 | 280d21bc46639d9f4e4b5b37b185ffaa423792b51a69e3559561c49b0ea7e9bf |
| SHA512 | dd80844a5088b3f2024c8b4fc6814f11d2bca4896051aa2ba05c1f0ab7a93084ad0fd2c0e058054e135a26aaff925f7ff2f2661a5345e4038a2505b48f9abbcb |
memory/2252-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4748-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b8d7b5e3b351c41c96692d420ebd1487 |
| SHA1 | 00514cbbb8762d1245d8e601a3700e27b754ce40 |
| SHA256 | 9c25e32e9ca08d659c3ab656a55055c87cbbec6bb66e654fdd333b07e51c2c74 |
| SHA512 | 751e9c12de4a0c571ba0e524e81eba999fece3e508c407fbf1e3d10bee338f64e21b0c5ec59be44d8f843d0fc5e569736cef7557d881d911d06ab9be897d0db0 |
memory/4748-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4412-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4412-20-0x0000000000400000-0x000000000042B000-memory.dmp