Analysis Overview
SHA256
23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251
Threat Level: Known bad
The file 23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 07:00
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 07:00
Reported
2024-05-22 07:02
Platform
win7-20240220-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe
"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6729049df9dcdf60d1a4b2d66185d9ee |
| SHA1 | 8e3cebbac162379787c43942a49fda1173bf60cf |
| SHA256 | f9f9421b8036812e1789e90181b7ecd141f5edb4b22303a334da65114e7c1647 |
| SHA512 | 2b6025253c3b0086fe52ee6e4739f7660542d2625b5f7f8c58c033b4c9526dabf64de95485408cfec464e172010f6cc43032d43b04dfc05c90fa522dd9547f9f |
\Windows\SysWOW64\omsecor.exe
| MD5 | 41368f07d588b3169b9603c7ac675c3d |
| SHA1 | 7f07fef0f29af7fa0569be43880ea2eb625e792f |
| SHA256 | 1cd64a1df9da50d3be9ead514922922629dfd5e6c5c45675c00014f9b3a7a81d |
| SHA512 | 88ba30746083a58e787eab5c94a0d2c7c6d17ae289dbc3008adb540b4841babbaead4958ce42ea97865cc303efb1b3f78bf996449c3ba3523323ea8dc2918efd |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1dab643aaae5611efd5d42a87d3ace41 |
| SHA1 | ad3d9cd379d182c0d1a1575b41797bfa9338240e |
| SHA256 | 068ebe93f9c6ce09850371d263ec6f5e5882980b11a578883bc08c564f0c44a5 |
| SHA512 | d5196a119cc8e6bd08d77d84281dd8453f5f0ec923fb47fcb44048b2abb70c061ae72328a9f2a9180c3f5fff17ee96ec9d815caee6f1485230fffba3daf46f6b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 07:00
Reported
2024-05-22 07:02
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4796 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4796 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4796 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4768 wrote to memory of 4864 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4768 wrote to memory of 4864 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4768 wrote to memory of 4864 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe
"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6729049df9dcdf60d1a4b2d66185d9ee |
| SHA1 | 8e3cebbac162379787c43942a49fda1173bf60cf |
| SHA256 | f9f9421b8036812e1789e90181b7ecd141f5edb4b22303a334da65114e7c1647 |
| SHA512 | 2b6025253c3b0086fe52ee6e4739f7660542d2625b5f7f8c58c033b4c9526dabf64de95485408cfec464e172010f6cc43032d43b04dfc05c90fa522dd9547f9f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f8bc576c9ca3b8f4fa3c7f62072812bf |
| SHA1 | a747c9870216e5863bf85e46921242e3040fae3e |
| SHA256 | de6eb7076c324222b6f286c5fd64ccf8f5eeade4fbc6610c53ec22756ac539a6 |
| SHA512 | e1849e55144e11668538a59fd4f4a568c756cd91e2ebc940a102d54072d8904218e868cb9978b8476523bd1d8ad682cff3b22a1874592355bb6ba0fff999605a |