Analysis Overview
SHA256
703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79
Threat Level: Known bad
The file 703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 00:49
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 00:49
Reported
2024-05-22 00:52
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 916 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 916 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 916 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2964 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2964 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2964 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe
"C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
Files
memory/916-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c037c206312b84e835d51f75ef270823 |
| SHA1 | b58155fd2871af8aa2247cc326a8bd63e7410c5d |
| SHA256 | ff19daa6ca5622c070053ddb205229f2930dc95c630b37a87b4a54816eecf826 |
| SHA512 | 2ec6a9e8f042a0fdc88a8bc598bee11ef49ef7b7163ff85537d1764e9f0f59cb03f43e296ae164381d2e725bbc55aed6fefbee600ff965e839535e4ad734148e |
memory/2964-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/916-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2964-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 928df0ecb02381ece45edb8b26de882e |
| SHA1 | 169ed8784b647e7f546447a64e044018c740d815 |
| SHA256 | ce464d19e0bf23cbd40fe312e10f168aad362cb4c87930ae6ca17eb312d6b7ca |
| SHA512 | f8c9880ad37a3a9b081e2e3b886342597337495da075b8df602cc6fbd69119c09dfe5b6a780f54d6747d246f6d0ebb606a8a7d8be55dd0a582d6416d210960bb |
memory/2964-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1316-12-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 85eaa437149e8c23e0cc9be25f3f2768 |
| SHA1 | 7570bd0a0b3e8c356a4c3b931f244cba186e85dd |
| SHA256 | e4964744d96f70148e11eab07741d7eb7b49a61e062b25424e3bb0559118c8d0 |
| SHA512 | d29cb69b59e90df4653517b86d4567d6bb12d850141303afdea594315f98f5f013206ba5708c38737ff495a4e98eea205ede948eaa23c34e09f7113d78f10d19 |
memory/4552-15-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1316-14-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4552-16-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 00:49
Reported
2024-05-22 00:52
Platform
win7-20240419-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe
"C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1704-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c037c206312b84e835d51f75ef270823 |
| SHA1 | b58155fd2871af8aa2247cc326a8bd63e7410c5d |
| SHA256 | ff19daa6ca5622c070053ddb205229f2930dc95c630b37a87b4a54816eecf826 |
| SHA512 | 2ec6a9e8f042a0fdc88a8bc598bee11ef49ef7b7163ff85537d1764e9f0f59cb03f43e296ae164381d2e725bbc55aed6fefbee600ff965e839535e4ad734148e |
memory/1704-4-0x0000000000220000-0x000000000024A000-memory.dmp
memory/1704-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2400-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1704-9-0x0000000000220000-0x000000000024A000-memory.dmp
memory/2400-14-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | adc163a085fcfcc1ba910157ce9afdfa |
| SHA1 | c646f4108d444a19e1e329f4901df236f1775ae6 |
| SHA256 | 43a62f17a19dc08269aae1c0f86c59658027b424cd54206b54d5d9921dfc1132 |
| SHA512 | 5fe613670e17add1e87e8f5d72d2f4beae8999938f7f908ae322d745c2da85e5b3262fed99ab5be9943109dda044451c3f7ffeb3992fd13bb30c3f8cdb1ba53a |
memory/2400-19-0x00000000003B0000-0x00000000003DA000-memory.dmp
memory/2996-27-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2400-26-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2780-38-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e935759f821f900896303499fdfa40b8 |
| SHA1 | 1c36d093268104db2513be2f523dcfa7a1ce4768 |
| SHA256 | 205fefb80bc42c03ba6baa021558ea8a29a857e2ab151b745a16aca76d32861d |
| SHA512 | f57a1c459bf9b4e444fb6d0e038080ed08639ffbcd9c4ca9434465c652c982af2baec948ad13b5b10f3de198a5fc0c2ea6a455ad8d2d7124e675c67acc7b8801 |
memory/2996-36-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2780-40-0x0000000000400000-0x000000000042A000-memory.dmp