Analysis Overview
SHA256
b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4
Threat Level: Known bad
The file b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 01:51
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 01:51
Reported
2024-05-20 01:53
Platform
win7-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe
"C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 495f99da6f9325c15747e701f6a5acc0 |
| SHA1 | 347efe456007d950712cd40022d5c5f62077b0eb |
| SHA256 | 9c1864811146f9dc145ab0a67b59d23dd61422b25d1321e14516cd13025a76e0 |
| SHA512 | 7f739ca8a988849a900dc4743426814088cc6287f46484ad3297ff9b4b80e0430caff4c32f8406f8cf2bab8f180a923b0ee51ba1f19bb55983d2d55b0f4f36c2 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 1bc2ef67815238cef42d96c72c0faf52 |
| SHA1 | c4830e7f0619643ec68705db3d304502276b7bb0 |
| SHA256 | 6a4079a5d47c58172f8f44fc54338fb397091b80a59248931d7a731f60211946 |
| SHA512 | 393b614e23a4bb5048f7a8202e8b04bd4500f62b26161a08525b7330b6ddd24f3c002dae4531cd78bed6eda0320b35eafe81cc256569919985c01d75778cc898 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aebb4fcd284ced53358f39c8d85d39af |
| SHA1 | f75dff9d554917e620cfe39d6c332765bed4a9e0 |
| SHA256 | 342902995e3d01769e32b65d9681ad968e2dc672a9c8e8e2e76aa2f69dbf9dc4 |
| SHA512 | 5573aa77c6204c52338c1138f68aa9dd9d3880611be1751ebb621d072da2c898df381d33817201db5849f2723d492d80b191273de23d1ee1ed51c67bddaed86a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 01:51
Reported
2024-05-20 01:53
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe
"C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 495f99da6f9325c15747e701f6a5acc0 |
| SHA1 | 347efe456007d950712cd40022d5c5f62077b0eb |
| SHA256 | 9c1864811146f9dc145ab0a67b59d23dd61422b25d1321e14516cd13025a76e0 |
| SHA512 | 7f739ca8a988849a900dc4743426814088cc6287f46484ad3297ff9b4b80e0430caff4c32f8406f8cf2bab8f180a923b0ee51ba1f19bb55983d2d55b0f4f36c2 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4368eba2d3a8362da347724e2600b29c |
| SHA1 | c01e7d3a404aa1746808b9c001958ce7cfb51b6d |
| SHA256 | 293f7694b1b0fe646c0145ea38e40c9a130b8d89037c269507ecf0fc0ab1d49c |
| SHA512 | 94fbd9f91e2114b2888c0c528444d3f47c65166e51fd595e7df95723862e9b31186d7891a40026b5e6adcc212c37de06bae6be2817c7f1cbb7c76e468c4dc120 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 10b4cf97cac1f873a03edfac30dd7a99 |
| SHA1 | 784c4538083b7c02e2e67eb0554382ecfcdc2e8a |
| SHA256 | a6ff69d31dfa781268ab16b1ccd5594c8426711eab50712ef8af269256ac1db7 |
| SHA512 | d24ad22cd8a9ca43cf971ebd296c7e3f62e467e50a7a957818c1e40adcfb7fbbed34ed52638878143c837c8282c7603d27a09cec74ef97c4a27a0193ca598b04 |