Analysis Overview
SHA256
cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43
Threat Level: Known bad
The file cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 02:59
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 02:59
Reported
2024-05-20 03:02
Platform
win7-20231129-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe
"C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2200-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 30bbb6b75769c5bb0bcf764906690d9b |
| SHA1 | 4f1f2cc020dddc6d0108812624022e8e53dc65a6 |
| SHA256 | 4f6464c1bd11617b3a72b98ea2c8762866c5b3da6fd037ac51eeacf95b8d58d7 |
| SHA512 | f87b322bebab41e6750efab17f662ed7771f6df9ddc93d681278e8c58844540c78ed302be6bf0f3f374e7bbfad16d5a851dfd448de1eeb5556776027ad6b43c1 |
memory/2208-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2200-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2208-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 3e43fd008ae33d75c2873ecb885f7602 |
| SHA1 | 32fe077bf9bbbe18a7b8ba31db1acdc8f7ba758e |
| SHA256 | df00b466e41187945aec62289b655c6f01f1e849624869e74dcde55f25c9f558 |
| SHA512 | fa2858bd5c7ad8a56511db322198946124537996e20de62e1a9314fe4942e6f7c5579a210ed637a8b802abb54bcb16008505e06edfd9cf3071d92e875157c3bd |
memory/2208-17-0x0000000000330000-0x000000000035B000-memory.dmp
memory/2208-23-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ebee397ed13d5f0e150b2b7381fc19c5 |
| SHA1 | 267a31e483814c9b8e6ded1ffa83ce7a042e823b |
| SHA256 | 720ee33903dd414996bf5506b000eaf172240858a468d756019b0279183f73b8 |
| SHA512 | fe8368078a49f9518d37e4851ccc2c1cdf3a7a4082b8fd46bb38d0260b5e2e550b2bf0732ee7383873738d782e7098c3b043b522e3f0666f9d734260822eab98 |
memory/1988-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/952-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1988-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 02:59
Reported
2024-05-20 03:02
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe
"C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2660-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 30bbb6b75769c5bb0bcf764906690d9b |
| SHA1 | 4f1f2cc020dddc6d0108812624022e8e53dc65a6 |
| SHA256 | 4f6464c1bd11617b3a72b98ea2c8762866c5b3da6fd037ac51eeacf95b8d58d7 |
| SHA512 | f87b322bebab41e6750efab17f662ed7771f6df9ddc93d681278e8c58844540c78ed302be6bf0f3f374e7bbfad16d5a851dfd448de1eeb5556776027ad6b43c1 |
memory/4684-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2660-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4684-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 683c3665ae04e6c26c007d8238c0c8f4 |
| SHA1 | bb8f11f72de28c6eb5c05651f0691553d2c82d86 |
| SHA256 | f181c6913d75f4ea36abf33c2d50cbc74f37e6c72112df485184d0a210218e74 |
| SHA512 | c8fff0cd0343069fc6dad56921884013604f631bffaff278091cbfcce781f8ff581386aa10eba853a3a94820a94e84e8cd0f35a8c1030695fa2e70c62f2dd8bb |
memory/4684-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4384-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ff0a69a7db828df49bce7dcc139af561 |
| SHA1 | fa228fb63e66d1f786ff76ae7b7e502b1bea4e3d |
| SHA256 | f04b2aa2512580bbe0bce86589f4f4f83504c75dfbbfa96a1d3570313c248704 |
| SHA512 | 026d412dd9470b2f41ecd195a0b4ee2b9802ecd157b37311fcd6f3842e2b58c8e1e25ade824646b44f83cc5ed3eba862ef653200c879b1445d1349674dbb602a |
memory/4384-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/216-19-0x0000000000400000-0x000000000042B000-memory.dmp
memory/216-20-0x0000000000400000-0x000000000042B000-memory.dmp