Analysis Overview
SHA256
0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f
Threat Level: Known bad
The file 0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 18:11
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 18:11
Reported
2024-05-21 18:14
Platform
win7-20240221-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe
"C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f261170c1a2e532db1e3dc2f8f7fac8e |
| SHA1 | 81e8e5790ab8b4cc310c92b41e40f5182a1ca889 |
| SHA256 | 9c4dae7ad6fb7b79639ad90a03691bc452e2414c86530105cc6bf3caf890c6c0 |
| SHA512 | 33e079cac8176bf739741a6e7f2bf3fc17a54e1b764eb6c6c41e7c36e8f5ef98f8915bcbbd07ed298417092fc0106fd0118d25be44300e335cb95d2b8adb083a |
\Windows\SysWOW64\omsecor.exe
| MD5 | 0e9ba57ff9b35270d2917287dac59919 |
| SHA1 | 304aa9609706d9a1db4da4b345a922961005e56b |
| SHA256 | 07713a7d1f67dcd066890a2fd23398793d298d9f361599ed052f3a6197056259 |
| SHA512 | 53c0bf540f79c9fe4070eb90c00a0ef57fa871f977847acafe81781da01cf2b9d01b0a16e3b2d70ee92ec43ffaa7b68d60cd104f907e4d08ddea4adddc3b003a |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6696e777a5359c1d8ec8d4b78ce496ef |
| SHA1 | 257aee7d6d3dfbe4c7b71d9f2e9faea2c812c835 |
| SHA256 | 8ea1497ccebe60a0c3255b9205f95302a72c376acc7f4cdd148d76b0ee880270 |
| SHA512 | 91ce8a267f13da6a7499f401ccd6fb225d7093545efbb7b9273bdd01d8a2521db2f1932f78508f475b1e38d4ea994009976ad7cd2526790d31d6ee5ade603b9f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 18:11
Reported
2024-05-21 18:14
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe
"C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f261170c1a2e532db1e3dc2f8f7fac8e |
| SHA1 | 81e8e5790ab8b4cc310c92b41e40f5182a1ca889 |
| SHA256 | 9c4dae7ad6fb7b79639ad90a03691bc452e2414c86530105cc6bf3caf890c6c0 |
| SHA512 | 33e079cac8176bf739741a6e7f2bf3fc17a54e1b764eb6c6c41e7c36e8f5ef98f8915bcbbd07ed298417092fc0106fd0118d25be44300e335cb95d2b8adb083a |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 763dee2fa0489da2102b459dfe77fcd4 |
| SHA1 | 1eea9d1c9c567bd4f8fef519a3d6e6d20caf9b2e |
| SHA256 | c733ac2e8cb2822d810548114604c86fc628c7ca9e809ee71cdd946c4accec2a |
| SHA512 | 0998d5556f301cee423a5e3a7e770a707f3133b80eaafe131fd218a3d6ca00e7b22276c79d13740b283c649f96d1f06012852c257bccf22646d01ba5f9d93d5a |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 19bf301369fafd5fb293e174d2cf3892 |
| SHA1 | 5196b84011caabccfc07d7a10efa5a1174395a2b |
| SHA256 | 8e34d084c2a7190e6cab86254db9bcd2619f2e5880b6d084002f7a89667d9ae1 |
| SHA512 | e50d5134e89c430095e7163d154b328266959787baec9cd961e7bd858c45568931150e7450af62b2a63abf81dc70a3d15908b7e72934d5a7d2d5d2f4a918042e |