Analysis Overview
SHA256
5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182
Threat Level: Known bad
The file 5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 23:40
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 23:40
Reported
2024-05-21 23:43
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe
"C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2b7cb605a9a35c95f811cad269f2ba11 |
| SHA1 | a23c1f0c62ddd843f71404e25f85b9f07cff37a6 |
| SHA256 | bc530de8342e917474f2bd9eb4a1a5bbbf94221894f2432a9e5f52086ab96004 |
| SHA512 | fbe02d52113f68409740b0450897bb57eb05c55f2dab7a6d99dba41baa1bf63bcdd609c37d911ecec917534b616750d568ca522ca4363c0671d0495842eb8bab |
\Windows\SysWOW64\omsecor.exe
| MD5 | f86ae9771bfce9b7d8a824034126064a |
| SHA1 | 9567fee060e42096993d1db60d2c1da0d5b5d8ae |
| SHA256 | 0e22ea611da48723be1f630b44ea11ec57e44040450ab173b9623df61793098d |
| SHA512 | 6f9e9ec06e1a8b73b9f0e7dae93dbbc65dfb32e4826614de17ce4d93027e5a44086483cb9ee7a5fede88e843d0a28e41a9e128b3cf95117c588a491891527bfe |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5c0e6f802782cf138a88c68deb901032 |
| SHA1 | ea159339a28c13f2ff14eaf945638a0502a83c01 |
| SHA256 | f954c5a0b24ba7ccfa51642e791359f7e5be9a17a0514b60864ffdc76334dcea |
| SHA512 | 9b58b57a81eaad1254b2b68ec228e90b767fbb4a6b79c1666d070134c34c0ae11f107e56ebaf9e44bb6dbc77043d55fd0ebc7fca8443fca73d5510861cf69051 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 23:40
Reported
2024-05-21 23:43
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe
"C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2b7cb605a9a35c95f811cad269f2ba11 |
| SHA1 | a23c1f0c62ddd843f71404e25f85b9f07cff37a6 |
| SHA256 | bc530de8342e917474f2bd9eb4a1a5bbbf94221894f2432a9e5f52086ab96004 |
| SHA512 | fbe02d52113f68409740b0450897bb57eb05c55f2dab7a6d99dba41baa1bf63bcdd609c37d911ecec917534b616750d568ca522ca4363c0671d0495842eb8bab |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | bd18b6011bdf619211204e53e4ec8550 |
| SHA1 | d81b62c31f0a24d3b2ca69a125728b29ee81d785 |
| SHA256 | 495da2b12f1c37a9bf9360f912021334377685a50653fcded894d31ce24b5685 |
| SHA512 | 29390936c3bff1917658657766fe4dcebf76303d8215d76fc05051e1e2da9afd5f4165d7e990540fed808b190d74da7f4348c0de905b0529e64aecfd7ce7745a |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1b87adbc99d8a7c01bca621fdb313252 |
| SHA1 | ab35df0ba0fd4f0e4cd862d80a3f099d62046857 |
| SHA256 | 392450f840c41721ce3a3d82b93e2e5039262b843d3f143a8ad33c492e7467e3 |
| SHA512 | b54894e3884b48ef0ad876718da743554f11ee9cfa2a307b7a0ea10e526dfa3db4136c7ba1a995460c20a81dc772ed46f32a3c6ddd636ad46f44aaaba247bb6f |