Analysis Overview
SHA256
0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad
Threat Level: Known bad
The file 0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 20:24
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 20:24
Reported
2024-05-20 20:54
Platform
win7-20240508-en
Max time kernel
120s
Max time network
132s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe
"C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f0a1260896500ebedad267bd6e5fdaff |
| SHA1 | 829670feaf6045b4aa97c7992c299049bb6d59cc |
| SHA256 | 99fc8980fe86e510363700c8af165a6328000bfc4a240cb9ffa6c30cc908619f |
| SHA512 | 28d01c6d8fb7f72f6097102d2ef962eda0543ac9eb1ad8e7c6ca058e870f068f411155acf33f605cbd9ae7047dd5dcd1470ed2bc285a857e320f77b170c60dd5 |
\Windows\SysWOW64\omsecor.exe
| MD5 | e9a6af68f6d438fe40061f4e35eafdfc |
| SHA1 | e1fd9cdf6fa5d2c92979ba0c516fe0728e29b7fa |
| SHA256 | 112dc5a1a76f3aee5a08458b8611ad1da587623d4d38b02aec5f82258e7c578f |
| SHA512 | a21c5ac9acbbed59edd5237619291840cc17af9f0731118b250b8dd2f0a4f980e7790ba7b8160ba7cd4860b612abeed369969bbeacbd5e2aade62f0416a40a29 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4019a72698806b11b12b943bd590ea45 |
| SHA1 | f7d9f38cc061153f7e50b0e6a5ec209b44b72e46 |
| SHA256 | 304b0a1f4a3326ebe88bd477615aea0d80e45c595ba01a3047169a1cf9542d56 |
| SHA512 | d52f260df718896bee10898cc7409fac31a971907982257866f7b41eb5f82a7d6273f9121716f2461fec89add4e3d9915de294178fdc93f22059be2d5332dfb4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 20:24
Reported
2024-05-20 20:54
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe
"C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f0a1260896500ebedad267bd6e5fdaff |
| SHA1 | 829670feaf6045b4aa97c7992c299049bb6d59cc |
| SHA256 | 99fc8980fe86e510363700c8af165a6328000bfc4a240cb9ffa6c30cc908619f |
| SHA512 | 28d01c6d8fb7f72f6097102d2ef962eda0543ac9eb1ad8e7c6ca058e870f068f411155acf33f605cbd9ae7047dd5dcd1470ed2bc285a857e320f77b170c60dd5 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 933a7a2b47ac9208fe03ca8730867bcf |
| SHA1 | 7dc1b29cc62c40450f2c547d10bf7ac3f33fd534 |
| SHA256 | cd106c326df2e951e547decf570ceeaa9b415664c65ef0423acdde7af46cde89 |
| SHA512 | 08b74f6693f206896c324c7f5ad0a6519dd03fa45eb2ddfb299cc2354f4cf3a88d93c6bec88cbc945772b2eb2dc18951385c638a0193d9975c6752cafa2c788b |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 48ebcfc6a39b28f2d6176680d8baffdd |
| SHA1 | dfd1c01db42113a961cf3bcde403c455dc4786f9 |
| SHA256 | 64a57f6b03bd093577775c40aed3f455a2e95ef6509218eb8d05339765d5ced0 |
| SHA512 | 8f11c615aeebb2071052df831ac07eeb05b2053ad2803e5ae16b9cdad4680ec09297e7b300b0b10db77d650f519b029061df561becb27e72b8f6c5717f2c09f7 |