Analysis Overview
SHA256
f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6
Threat Level: Known bad
The file f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 04:39
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 04:39
Reported
2024-05-20 04:41
Platform
win7-20240221-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe
"C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 32253a47273278b1128b91830b267488 |
| SHA1 | eda4aab36b06bfd22ca9a9235342df67dca71993 |
| SHA256 | 2ace238d95b0fb8fb6ccef4822cd9cccc76d131bb87dcff53424999430349249 |
| SHA512 | 8def47f16e1856a0c0cedd955853f40a4771fd7d2ab66b076ae76e28796b6de3e8d2291627bc6138cfea34531688bc6c69a06c0c6318478dd19fdeb540f85463 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 110af80ab7627254d0bdfb33da0fc9d1 |
| SHA1 | 9f1f948edad862f1d60bea286217777593054894 |
| SHA256 | ebbb47554a3b81278e46c6c7c166078a5ab43967a8c99501c2029419480f021f |
| SHA512 | 0c46616e88342ebaae44dc3b22d555dc4f3aebbad28a06ad7e89d1b9be08b1479380c2c676849eb9fce910b6fa784617dd1dded6e0fc7cf1bc8bd2056ec5d1b5 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8be5abf1ca351315c8984e876c3e6224 |
| SHA1 | 6c06a8bbbd810d9efad2beb902005575b98c74b9 |
| SHA256 | d7d0ad6344b2659ed53545bda1163021924c6b8250cd40028f5b2f87cad16e2b |
| SHA512 | 8aaea9feffa115e782b5b2693740302267e539e4aff302d85d9f60393258908e6f7363570a7b081e929d5e17515e49354f9615771d020e446acc36479e342031 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 04:39
Reported
2024-05-20 04:41
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe
"C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 32253a47273278b1128b91830b267488 |
| SHA1 | eda4aab36b06bfd22ca9a9235342df67dca71993 |
| SHA256 | 2ace238d95b0fb8fb6ccef4822cd9cccc76d131bb87dcff53424999430349249 |
| SHA512 | 8def47f16e1856a0c0cedd955853f40a4771fd7d2ab66b076ae76e28796b6de3e8d2291627bc6138cfea34531688bc6c69a06c0c6318478dd19fdeb540f85463 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 21bbf310a8d596850d68345057469800 |
| SHA1 | ce028ab9516f3961df4db0a9d5042381c36d8539 |
| SHA256 | f83b08937d54c18fe89b203f9c4ebee88b23db2214e05d6ce31a472ba37228e4 |
| SHA512 | 705f421f8ba02acefcf99537dea36ffda8c2cd95dea426f081574c303e54fd1b950c3596dbcecd9c1bf2e9f9f16f178a469dd53425c23a5e8645318c0e93c9e2 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 94a28e45affa6f1759751b08caa3a399 |
| SHA1 | d603d25db16de015fb1acecf8177b4a63bf5b7dc |
| SHA256 | ed415e17c4d9796cdb39a49f1f6619d9a4861487de90fa67e3719020a05589ef |
| SHA512 | 6584bd1dbe0ceab17e519e4fb5d42f184714ee2a3624df58d09ae8ebae5c1f51be0d2c1efaaaa949312638ac0f81611872f081b8486bc63ae57507eaaea05829 |