Analysis Overview
SHA256
241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f
Threat Level: Known bad
The file 241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 19:48
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 19:48
Reported
2024-05-21 19:50
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe
"C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5b2bae4a2f2cc6ac90e41fc415cff5a0 |
| SHA1 | 76506ef1fade03ea448fc9575724a771cce41af8 |
| SHA256 | 1d2dc7d890897d5c0f06c9d37e26752bde67f34e3a58e2032191aa73fa213d6c |
| SHA512 | decf6a1316f47c2bdbcf3ef5ad1ecdbdca03ec0849a2e981622e433e2586ca0cf558f67370796d94501bdac8a78d6f8451f4d387cfa5adb380ebde1a46c836be |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4041b07e7b479a47da5ae5bd32b99653 |
| SHA1 | e2401bbf0b22d69565d0bc39f8f6d7b645437e8d |
| SHA256 | f133d467350f49932b5f024099ab85fc0d963800d4b002074895ec661c299848 |
| SHA512 | 88e02867b6c8b5e94dc2fe0f850a036f035022198954fc630a63675ca80d0f401c58d68174f59569fb78a12e7316b774b6d8ab688916ed2528566a3b887ce239 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0a28514b0b034155682e7405d886e7c2 |
| SHA1 | 929002e7235559a8a7d5a441d0eeb603aa154fbd |
| SHA256 | d4c0d6e47ef0ec779252666a21623bf18c176a0443a4057444f7533483b5d919 |
| SHA512 | 3099fad05c7e2e7a40a8fe2578659ce91e27d54c750c7dbfad4acb4bb9aba887b51ce46f7833e6099083374e33ecf1ad801bf9cc24ad570931cb9b08baf7f544 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 19:48
Reported
2024-05-21 19:50
Platform
win7-20240419-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe
"C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5b2bae4a2f2cc6ac90e41fc415cff5a0 |
| SHA1 | 76506ef1fade03ea448fc9575724a771cce41af8 |
| SHA256 | 1d2dc7d890897d5c0f06c9d37e26752bde67f34e3a58e2032191aa73fa213d6c |
| SHA512 | decf6a1316f47c2bdbcf3ef5ad1ecdbdca03ec0849a2e981622e433e2586ca0cf558f67370796d94501bdac8a78d6f8451f4d387cfa5adb380ebde1a46c836be |
\Windows\SysWOW64\omsecor.exe
| MD5 | ad1b9925a45c6fac90b35b197b36ea17 |
| SHA1 | 6af2b3680f4dd4c0f746c7f699c29d1ff2e26ab4 |
| SHA256 | 5cbc31e10508ee67937748f37f16dced48e4837e0f863c1a756b4178222e31d4 |
| SHA512 | 28945d09b23371a1425f84389525c48fdc733478f6f07221800972a2fd1635146eb3c5a17b8d83508034d65b72d8add1baff205647cf9a4475cc5e659a4f0d3e |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7729887c42d17c42e29dc69ece18e222 |
| SHA1 | e5a5ba4802fc9a68622e5960ed1fc449d25d5e3e |
| SHA256 | 94d453da89cf884ca97b71fd78e754935ecbf9892bd69b4cd08db537122ecbce |
| SHA512 | 3ca2f2c257659c61d11eb9dfb0553a96022a86aa8d5b0946feb00157c46f4a9318e9d1a4e9cd57738197642c51eb9246596970657a447539566558d59b0ab1d2 |