Analysis Overview
SHA256
d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0
Threat Level: Known bad
The file d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 03:12
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 03:12
Reported
2024-05-20 03:14
Platform
win7-20240419-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe
"C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ad112a7823e24e6b70a6a425bd8545e9 |
| SHA1 | e13ae8a94a2e01f2051bf78d72a627eb513d1032 |
| SHA256 | 650acbbc5a72fe3bbfe1cb96ed6617c34cfe7422c7d16c267a8ac3b67e39530d |
| SHA512 | 08534dde254180a13072311c2f2e815bb162c2bbe7efc99f55a421ae03d9751f57063114c8d27af41bf3a50f0703c9711dee02323ed6be04f30f28fca353b3e3 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 540282c922cf0bdd6edc2649327bb237 |
| SHA1 | 0d436806b6864bae793be513766e94b3d18ea840 |
| SHA256 | 587fb03494f22e4979d1f75c7d0528cfb7083fcfe9ef57f576e4d130306d31f6 |
| SHA512 | 0a55ef516e8480ef6159ccc3bdc643a746762b1b42045ba87cb0108052ee0ccc6a20b1189357debdf199312e7aa764013174db0c7d4923f28f3cee5153520591 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0e656ff6fc57f656d2182deefd6938df |
| SHA1 | 8dd6471e7585e3cc327364046941d3bf93f06cdb |
| SHA256 | d66cdc6241d7e2a7c7d442cf5d011ea9ffdb166c2dda6be0654042a5f5c9f7bf |
| SHA512 | 144352bbd577be1da1cb945f3e00851205ef933e3a34c71bb4ef4a4dbedbb3ca2694f72f8be19bf7318b152d9828d9c56292d55adf1dc14532ecb7ee309fb8e1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 03:12
Reported
2024-05-20 03:14
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe
"C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ad112a7823e24e6b70a6a425bd8545e9 |
| SHA1 | e13ae8a94a2e01f2051bf78d72a627eb513d1032 |
| SHA256 | 650acbbc5a72fe3bbfe1cb96ed6617c34cfe7422c7d16c267a8ac3b67e39530d |
| SHA512 | 08534dde254180a13072311c2f2e815bb162c2bbe7efc99f55a421ae03d9751f57063114c8d27af41bf3a50f0703c9711dee02323ed6be04f30f28fca353b3e3 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 009f799a9c64f5ff90fd2864752dc265 |
| SHA1 | 1fa49c9862a4d45fe7c7b5f456f7c922b6e773b1 |
| SHA256 | 2cf46169accaf86c71a8d160eefab092962212e55b34d160e8b93b46a0084a09 |
| SHA512 | 56e564d37245a499eb58cf7c9f5e6f02a30b43bd2cb32ee19de21a75424f147a66894507b6e624edcc991042379a2c37ccc2256884d1dd0fb5eae82bd667b362 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8f7c324a3012bb93a9a23114827de172 |
| SHA1 | ba6279f58dd60b83b0a639108449e6d1e45c24c6 |
| SHA256 | 9fbdc5a346bb124a5bb0a15eb02b9b6afb3d75b4710f9047d39f4e30319e11a2 |
| SHA512 | aeacfa1a4040f3ef408bdede4648ff9846412fe74f499824262474da6c210e1ef1f34e97c09d44617a6c6d4cae7edbf948d0532d88ced6aec6b4926c5a71fe80 |