Analysis Overview
SHA256
7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6
Threat Level: Known bad
The file 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 01:44
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 01:44
Reported
2024-05-22 01:47
Platform
win7-20240508-en
Max time kernel
120s
Max time network
129s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe
"C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5842d1ee87f8e7563bf511f5ba78904e |
| SHA1 | 6fa5edea48945a9382b9f5bcbd001d83deeeda07 |
| SHA256 | 86162eabb5938da7126cc6681803195fe4fe6c9dcb684a92f264bc332e488fe2 |
| SHA512 | 2baaa512739e0a3f619643229602ca37d68bece450bfb3dc48a1ff35dd468f5338b45364cc0d287f0ec95365faf5f70bc36272fabc9ac2f3b7c9db53b7e50a80 |
\Windows\SysWOW64\omsecor.exe
| MD5 | a8924cdff4dd73db15e7a2dde74c8c62 |
| SHA1 | b1fe2053f273a019a21cf3d227c33f3da57ca26d |
| SHA256 | 3029d67258c01badf367558233871ca57f7523b94dc107bf315dfea959bc4382 |
| SHA512 | fd68f17fa44ff3895bf7262b89f2520b1af50b304ed66932b7cf566fd56235c8e6774e1cdb26b58baca386154a547de3624606d0ec9e1e27ce6c59aa890bb799 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b679eb5f3d0fabdcbcf1b9674e782844 |
| SHA1 | a16aa1176acd10506b9c4f7b0d89fcf28c8fe38a |
| SHA256 | df04cbf95589e3a889d75244b0240da1d7d34b5b041ac34fde94a56782c56490 |
| SHA512 | a23f85430a8bad24acb755e299853c19f6fe962a29a6502278c53f1e7b3c3af903f48bef1afd77a062f5f925a640d31b21c374a2b015cd1e14ea55239d129438 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 01:44
Reported
2024-05-22 01:47
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe
"C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5842d1ee87f8e7563bf511f5ba78904e |
| SHA1 | 6fa5edea48945a9382b9f5bcbd001d83deeeda07 |
| SHA256 | 86162eabb5938da7126cc6681803195fe4fe6c9dcb684a92f264bc332e488fe2 |
| SHA512 | 2baaa512739e0a3f619643229602ca37d68bece450bfb3dc48a1ff35dd468f5338b45364cc0d287f0ec95365faf5f70bc36272fabc9ac2f3b7c9db53b7e50a80 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 45edc16c07b947827aa5e8d585c1df76 |
| SHA1 | 1c73c563029ce170c630949ad7d5037d153209a5 |
| SHA256 | 4ea3c8ed8662d3b1e91c0f264b412acfac63bd09bd1b4b15b32781fb15ff4db5 |
| SHA512 | 88d68d8c19141e5d1d4f7bdc4b286d2f342ee44e0d43ecbf1818f33bf72fc3c21d3ad0b51d189201860443e642d1b43685f1f70b9211237e96dec68af97f3f41 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3017f7b96a08b5eca671e2d291c00219 |
| SHA1 | 3a978c363fc3f3e8f08065246b0a773fabdcc18f |
| SHA256 | e8988402370bd4dac50fccbbd9e3b792bd230df3c00da14b12ddb14d70f2cb57 |
| SHA512 | a778915366ae6593b13af547ea73a614cb02f801d3e9ab9a0c49636170a37a074d3cb647e5acf128f26fbe37214717c4bf9a23be22ac9e897adb3bbfbddf2046 |