Analysis Overview
SHA256
4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad
Threat Level: Known bad
The file 4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 22:28
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 22:28
Reported
2024-05-22 22:31
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe
"C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7d9802727d3d6c4b694e4150f2f4a027 |
| SHA1 | 26a31db9454de541eef66914d593cd55a7233a28 |
| SHA256 | 75b8af8fd72803d087379428df21556dd132ad0dd8107b800e53731e348ac408 |
| SHA512 | 886f9543e6e2eea965edd4678e5525acb12ede87454439a746ef802192a635908b450e5d2f2bcb877cbf547e790db68aabea78d503ac6c3beada2e9f693ccd95 |
\Windows\SysWOW64\omsecor.exe
| MD5 | af6eaff717447e122338265e78a580db |
| SHA1 | fb87f36f5db271d6d5bf7bea140d4101a7520167 |
| SHA256 | 3e7553fd63889caeb9761edbd7f781a4901539de547291749e1a37e5cc0360f0 |
| SHA512 | a3d3ee38995ec5f3082d78b20fde2cffc3db1cf2a2a16f45f000dd0fd6fc95ed3117788e6ca1c00eccc740d9ab1db0d77692317276fea90fea26d8c839572ed6 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8921920a284c53c58bfa60e31a18ee59 |
| SHA1 | 5ae0f75da237f2bf018831f7a787e9e0903a5c6a |
| SHA256 | a56b21ac1b196b1f419bc7be132926157469f2f14b051b840c46282a5f1bfe52 |
| SHA512 | 5f1b8f2d70a8abc64fc55ea5f19553a2be062705c62eb49c2eb2a6dd240ab55c9392213e0c93a326d35e0f9640e940a3e56fe5cd638685e1d47fa45972b178a2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 22:28
Reported
2024-05-22 22:31
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe
"C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7d9802727d3d6c4b694e4150f2f4a027 |
| SHA1 | 26a31db9454de541eef66914d593cd55a7233a28 |
| SHA256 | 75b8af8fd72803d087379428df21556dd132ad0dd8107b800e53731e348ac408 |
| SHA512 | 886f9543e6e2eea965edd4678e5525acb12ede87454439a746ef802192a635908b450e5d2f2bcb877cbf547e790db68aabea78d503ac6c3beada2e9f693ccd95 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f013289f0c72a45c9c6cefb700138cbf |
| SHA1 | 1b6aafac571731a2b462f51a319fb05385c126ba |
| SHA256 | ebac40d9a051afea8c2242984870684e44b48ba9de59059454877d2d8c248848 |
| SHA512 | 553619320ead3abb35120c3ad0d42c792c86832f926360a3ef5b498e1acab03ae845741a1d97cbbdc5eadf4c5b062b725eaa605210f497cb0e3083bcb492d470 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 777870b5fe9e776f3ce5dd480efe2c48 |
| SHA1 | 0d3218123255a6b1f04e070647b88163288b544e |
| SHA256 | e2d735d8b880ab96299bfc7354bb801bbe025d3f0823368243067b2a7b2d3f5c |
| SHA512 | 21354af95706f768d594931a65b6a76a0803d88911af133c7a6388fe71344ce218fa61d3c96fae101297deaf7e76b7a546e531349cf1cd93cd444486eb6d35fc |