Analysis Overview
SHA256
6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf
Threat Level: Known bad
The file 6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 23:32
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 23:32
Reported
2024-05-20 23:34
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe
"C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ab9e0ef4695fa4bee67def5df4fb1ecd |
| SHA1 | bf0d1917d84d70ac72d95295e5387a032ea62dee |
| SHA256 | e50b4f4bff55d496bfcd12608aadf64f686ba9b29f3b8de31a7d587db85fa625 |
| SHA512 | 40f78a327a318ee61cc358775f10051c57328f0b6bb14a7b47d87135f6229a0f043355375359f77451fa32928d9cacf3b6fefafa8ea4f4582af5cd62d45bc3fd |
\Windows\SysWOW64\omsecor.exe
| MD5 | 5b809d2725ff2cd13ceb3a983539d6f3 |
| SHA1 | d21ceec32d6e85cb6c01db6ee1d5dee33a16024e |
| SHA256 | a7bece3fb7655260d85e738fc07842c3a911f4bc2a6883a5756e972c51e83cc5 |
| SHA512 | 8621ce92010290e2dfd39de837aad96cad08e367cf6d88dfc3144e48bdf0eae8a946bec0547e4b94a5a110aa6427198cec6341e03f077790820c7c708f88968f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 816b8f2a9f4e7bc9b258c44f53505b2d |
| SHA1 | 3c4eb8bd7ed32bddd9d81f70d8146fabd8270d4d |
| SHA256 | 1f71c22b4ddaaa761ec4e9bd05814706bfeae1b42ac7a7c8d369b0d2a461bb26 |
| SHA512 | 4525ffb96c0a8c0c9c2b94026c257f4b7da3fccc02517a92fec086551d819e318a2570f76f036839f7f8bfaf1a4c390b4725ae87a447b399bc856b18f282abf0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 23:32
Reported
2024-05-20 23:34
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe
"C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ab9e0ef4695fa4bee67def5df4fb1ecd |
| SHA1 | bf0d1917d84d70ac72d95295e5387a032ea62dee |
| SHA256 | e50b4f4bff55d496bfcd12608aadf64f686ba9b29f3b8de31a7d587db85fa625 |
| SHA512 | 40f78a327a318ee61cc358775f10051c57328f0b6bb14a7b47d87135f6229a0f043355375359f77451fa32928d9cacf3b6fefafa8ea4f4582af5cd62d45bc3fd |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b165536f08211cb68784102e26146fd1 |
| SHA1 | 15fd9da88f9b75ed261afa39b5a42d0a573f277f |
| SHA256 | d76dc384fe1430a5cdac36b9e36f4fa6042e1baf1a365cb70a58ef8201d03d14 |
| SHA512 | 19702192e47122f27fd4514683e6e572c0d89bd35d6f74b79e2ef65dd0034fa9fd07059c613095b8c5153e1218a14e8618f5f49c07cfe15dda020c4d2a0d93cf |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 652e0aad2f69fea18c9288eb0eed83fe |
| SHA1 | a523d787043e39a13a043c804279a4f4e57a41e1 |
| SHA256 | fd967fee329dcadf931139323a268f7cb511a7180d75a0850d798e8deb21e310 |
| SHA512 | 2b8dda73ed2dc372b221bae24b7a66267dcdd741b36f4f9f222dc74b3298c11e9caa29eda5654dbd71ceebdcadd072a940d7fd2fa8da696bfbd1682dba69f3cf |