Analysis Overview
SHA256
14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776
Threat Level: Known bad
The file 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 02:29
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 02:29
Reported
2024-05-22 02:31
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
"C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e9d56f4dc84dbcd469d308b2e492f84e |
| SHA1 | a1e2c71b608544264fa322898efbd3972c3e21d6 |
| SHA256 | 98a4075a6a9814f99c6ac464a1ab85ecbee786beb76d87131861b69631c475ab |
| SHA512 | 999f6abcb284811005942af1d7853e00c9f8fdd3350e5f41f9695bad08625674d4422fab2010cebeb124f990c11fab72f9ced6069b5e28492e108816c483b0e9 |
\Windows\SysWOW64\omsecor.exe
| MD5 | cc13e00e4531211f0e9a81b1fe95b7a1 |
| SHA1 | da68cb09a858e7e4f026da2c7bd19361a00441a0 |
| SHA256 | 19c99c9cc7828a155f058e5d57fa0b2d93137387ac08e66c2feb488e95de3315 |
| SHA512 | d3a78db1b1bfd7396424f00bc75cb2985f5de2fa43e057880c629d775f5527f492527c12ccef0f1361ee24262abcc4c8bbb8ca9a8eb1f542052a916c984c14e4 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7800b3222e27273c3b7b3fa23f42ed80 |
| SHA1 | f98b742148109a437dd8ded0dd4aabb1dc968015 |
| SHA256 | e7c8cf21ee4a9e654493ebb76954aaf9e767d8df09ea7584b75d7354db316c46 |
| SHA512 | 5ef4f45bd7d915a7f6cf563ef806d7689bd5c5d714de1698a063cc7e0841a26dc0957e61b92fddf3cb49a264b4953e32627bafbc6c2b4b69941d3f42e90a7baf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 02:29
Reported
2024-05-22 02:31
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
"C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e9d56f4dc84dbcd469d308b2e492f84e |
| SHA1 | a1e2c71b608544264fa322898efbd3972c3e21d6 |
| SHA256 | 98a4075a6a9814f99c6ac464a1ab85ecbee786beb76d87131861b69631c475ab |
| SHA512 | 999f6abcb284811005942af1d7853e00c9f8fdd3350e5f41f9695bad08625674d4422fab2010cebeb124f990c11fab72f9ced6069b5e28492e108816c483b0e9 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 45ca35139769a8664885c4862bdf1328 |
| SHA1 | 7043f4c223f4332a7d1eb90934e2d79f9a290e47 |
| SHA256 | acc329c293773d5cdb6435cdb17046535999e6bfade6de30fcb6069242619507 |
| SHA512 | f1bc79f4dc274c28af28239d5650f66707454fa54332bd5107a14b79cd5385119ac42bb7d1f2a69112f3f1de3e2cc89911acc7cc4255f366ebe4f281c718cfec |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | eba5ad7b9322cf4da53c1526b95ebd61 |
| SHA1 | bba5614f73380729ebf4cc4e654f1039668f05f4 |
| SHA256 | 2ba9b5ec56574fc2454fca9906c25b3df93c38ea4f2a53e4f30eb74a74bf5747 |
| SHA512 | 60b3fee2fb3b3f95fb29f5812e80a8c54d8898c2071f8a30c818bbbe5cfffff27e49dea90386475d9801a785d9c9848068dc8100d136e4a3f3ee1113b312c394 |