Analysis Overview
SHA256
0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319
Threat Level: Known bad
The file 0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 18:42
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 18:42
Reported
2024-05-21 18:44
Platform
win7-20240508-en
Max time kernel
127s
Max time network
136s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe
"C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2244-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d79f378f34476f58bd6fe2728023d8bf |
| SHA1 | b9a443230d7a81d79a5809a3e2f278bd541e1aa9 |
| SHA256 | 567043cc2852baced9cc668a73469207b6d61f0311c73c23e21cc4ab1028677d |
| SHA512 | 2445d8684fa39947170e4fbd57ca1cd29039b2233a0a5cc14024b9930c7219698f713a408c9bd9967539350516f19903132d6d827c1be7b1e213db22b39e7a07 |
memory/2244-9-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1900-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1900-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d1ffb1c1cf97c2b5f1f36bfaeb497258 |
| SHA1 | 3f0a53d51a2b4c24c5965bf8b324d579c11b52b4 |
| SHA256 | 54db8b97a89312a9d2d671660cb5fd776e48a6841b96fffcdf79525a17592799 |
| SHA512 | 0e7777e67e074350ed3bf55fab44085f4a7fc1917c95ca37b78811d364b722bfb382b946b52ac6fbb889b262dd40a7eb3588ae06ad2e83932cd76da3b4430981 |
memory/1900-17-0x0000000000430000-0x000000000045A000-memory.dmp
memory/1900-23-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 56ba8ac348e542fcc68787cc67ad6a0b |
| SHA1 | 265a12869bafba84c32fe6f5f321300d77896ef0 |
| SHA256 | a6bf38d7841cb95ed4344be4fe604586bccac45b852f21b1325108b0ccfabb67 |
| SHA512 | 3842aec45beb68d099ec677170d3f28e08a79134bcc41302c1ee2f3150e53fbfb9ad36f281de4697d894e8e8fb90697be2f7ae567d907ed316f913d09c733d6b |
memory/744-29-0x0000000000220000-0x000000000024A000-memory.dmp
memory/744-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2868-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 18:42
Reported
2024-05-21 18:44
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2272 wrote to memory of 976 | N/A | C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2272 wrote to memory of 976 | N/A | C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2272 wrote to memory of 976 | N/A | C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 976 wrote to memory of 3108 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 976 wrote to memory of 3108 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 976 wrote to memory of 3108 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe
"C:\Users\Admin\AppData\Local\Temp\0f556371eb69bcbd6e3fe28538bef38ab6ede663705d0f4c2423d71346929319.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.129.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | tcp |
Files
memory/2272-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d79f378f34476f58bd6fe2728023d8bf |
| SHA1 | b9a443230d7a81d79a5809a3e2f278bd541e1aa9 |
| SHA256 | 567043cc2852baced9cc668a73469207b6d61f0311c73c23e21cc4ab1028677d |
| SHA512 | 2445d8684fa39947170e4fbd57ca1cd29039b2233a0a5cc14024b9930c7219698f713a408c9bd9967539350516f19903132d6d827c1be7b1e213db22b39e7a07 |
memory/976-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2272-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/976-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | cc3ef8d9606b33bb39dca5c6a7d110e4 |
| SHA1 | 7940d64014b976e6efecaa16869f3612e9f1307b |
| SHA256 | ebd778b2f26f02e1197dfe8a019a5480ab54af054f3bfead8fb279b4f644336e |
| SHA512 | a5fba438796d99c54b5d6e2690246ed30e6c7f480e0aa1cb4714d3bf4ad5b19583ae893f1b3f7f59fa6f525feecdb8184fdb4d6cd917c4bab32e148c444b6d9c |
memory/976-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3108-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3108-14-0x0000000000400000-0x000000000042A000-memory.dmp