Analysis Overview
SHA256
619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5
Threat Level: Known bad
The file 619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 23:52
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 23:52
Reported
2024-05-21 23:54
Platform
win7-20240215-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe
"C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 61341743660419ceb38e456ae0d31992 |
| SHA1 | 637df5023c8b0bab0e43148d8acff4dd36adca24 |
| SHA256 | 77ec1a4a59a4f795ef76377c79730089927dcda5dc1fa2cbc9d6f3a12ae87205 |
| SHA512 | 7afcff43e897d8d4fa88bf8045327923fc857fb142dd0f7d4a0224fcd1ef804538c4cd70828e4a6413af3c14cf554bcbdbc8dfc78e770e4172e4041356af5e1c |
\Windows\SysWOW64\omsecor.exe
| MD5 | 6aacef6b0da2fd3c827bc3b4abc03f07 |
| SHA1 | 5e149d939596ec149137e479d1d89fa950dfb3cd |
| SHA256 | a972745c074cb8c3fd64a8e6680952b9b57f3ec6a72448cfa3bc598c76ca4c43 |
| SHA512 | c546060cf5c3b4db815fcba540a5090647812205335c58c732ea150fd89cafb9c44c88f6d0b3df09220ed7fbdb4e78e815886617ecbf5b6637e57595351da925 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 78a485d1ab9ac42600e20ead8c129e96 |
| SHA1 | ec9a278f36aed8106e6354d3e172010152c5283a |
| SHA256 | 76e8dbd4d6506c98722ceb327bd91ccbb85344a10fd9c982558d28c7d480b553 |
| SHA512 | d91fb1e6b00c5b0e8ae1cc34c027e5da9df07925b3454c57bbe565132481739e3827b97bce743fc606c28fa6521b5e05b6b16553a7fbd6526ab22c9b34184e2e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 23:52
Reported
2024-05-21 23:54
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe
"C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 61341743660419ceb38e456ae0d31992 |
| SHA1 | 637df5023c8b0bab0e43148d8acff4dd36adca24 |
| SHA256 | 77ec1a4a59a4f795ef76377c79730089927dcda5dc1fa2cbc9d6f3a12ae87205 |
| SHA512 | 7afcff43e897d8d4fa88bf8045327923fc857fb142dd0f7d4a0224fcd1ef804538c4cd70828e4a6413af3c14cf554bcbdbc8dfc78e770e4172e4041356af5e1c |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 97adc7c0ff5ede8bd16b1efd5adf63b7 |
| SHA1 | e501cd25d77252f4d317307cd47e8d41653b1cfc |
| SHA256 | 0ce38b78ee8025a2e9cf92470c66fb18525024c9326703ded386349e5191e0d1 |
| SHA512 | 928980e8fe765636c4c43dc1839109b2c891ca78c389099b47792c53d55fdb1089726f4240eca06ce58493c6726b740436835678ebb58ed32fe028075bbd5528 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7834d1ab0338bcf3170e1c2f57dc4d72 |
| SHA1 | a58b35167b37ffbc67c430edfbd3e004346a822b |
| SHA256 | 0d26c3d50c28b347200bccd53ad507b91e9d0f71c74fa8a831a51e2635a312af |
| SHA512 | be54a57babc99762fcb683d6c54b44c462e34e2c409ed95c286e1805d0ac047e4f2974fe1408a75c321b2bf41ac27e7ff69dd647471ba2135786d0c36b25dbc7 |