Analysis Overview
SHA256
9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151
Threat Level: Known bad
The file 9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 04:01
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 04:01
Reported
2024-05-22 04:04
Platform
win7-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe
"C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 16a4ff03cfb1c46753437c5fe9dd124a |
| SHA1 | 32526b33c34a019d4d8b946f2c342cf8aa3d511c |
| SHA256 | c8a50a2af383bbaa1a612a9e9a85781bd9c913bafe1e4ad829fdb61fe0a32c1f |
| SHA512 | 0420d59332db5eb8a8900a3b4b924f1317f7e6c8cd9acd02a9377a2e19c833e1be28c9fbff9033f3a010280d7e6eb1e713d090bb89789b05e15dcecf0ead703f |
\Windows\SysWOW64\omsecor.exe
| MD5 | ab61eeab19c4a7700597bcc5d7516e0f |
| SHA1 | 2ddb231e871a72e9261351a311a2b2477d987450 |
| SHA256 | 42a98eaf7f7ffe9a7577bef7ba0a0f87736b423cea28bff0cbc42271bbaa5ed3 |
| SHA512 | 52b5dfb0cf1a67ca0c1627a2c75a71958e1ec7517abbe698721e6a180c9e84033af04d1b4df3f1179f1c48bdf43944a4c6b2a46bd8387bf7d69356fff3a48f50 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fa0a167ecc04bc264a7c8fb74082be22 |
| SHA1 | 9a998bb18083fce4df9e01ee9c09e531615fb5c7 |
| SHA256 | edc33eb172b05560649ec458531beaac989ad288d48dd88f3fbfed1750afcae9 |
| SHA512 | 47391d2ef6d62791764af756581679fbdaba22d9c46bf604ddd81c59f79552989f4a8128357bb2e614b68e7a35d336a1901eb6c7b5aed167b2a692fef32f13db |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 04:01
Reported
2024-05-22 04:04
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe
"C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 16a4ff03cfb1c46753437c5fe9dd124a |
| SHA1 | 32526b33c34a019d4d8b946f2c342cf8aa3d511c |
| SHA256 | c8a50a2af383bbaa1a612a9e9a85781bd9c913bafe1e4ad829fdb61fe0a32c1f |
| SHA512 | 0420d59332db5eb8a8900a3b4b924f1317f7e6c8cd9acd02a9377a2e19c833e1be28c9fbff9033f3a010280d7e6eb1e713d090bb89789b05e15dcecf0ead703f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 473d273433328ae729cd2e2c48349ad0 |
| SHA1 | a5db6140ca5c3cbbca3350c6c884ca97eb180109 |
| SHA256 | 975fc766436bf94bacd4d1846cac8d1c41eed459137b9ae2c3e87ef452a69af5 |
| SHA512 | 57dcb11ed3c090198134d6969aeab26951cc245f1fbb1f705ffb70742d7877bb5b1add275939e77a32dd5fdbb973661467fcc7e08a61f7fc47678e9de0941a91 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 17040f670323abf1592bacddb563f5e6 |
| SHA1 | 21d48bca11e498689b23ef25a5208ccfeaf5b2d0 |
| SHA256 | 513f94c806abdde1e951c5c6efcc44293ced3be203cb67d67c464a502bdf6f1e |
| SHA512 | b2ea72d4f5cad46061f7cc42c6e847876152db838f16abb029e39474636c84f02fb6a0589a401d100ef95e48c28f46aa46cab61c922c583848d6cea862147da1 |