Analysis Overview
SHA256
d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17
Threat Level: Known bad
The file d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 08:11
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 08:11
Reported
2024-05-22 08:13
Platform
win7-20240221-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
"C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a5e33943d8064b6db399cf7534bd65cd |
| SHA1 | 6dcb38fbb2e35153fe016598d6ef675b038db71e |
| SHA256 | 48176186f82671f61df941d889671dd5578bafc160a5fb23d633dd88421a61bf |
| SHA512 | c7d3962af2836b7915b5e73f7ba5678e5aacae1ba37c5f711e474549638300aa58ba195b7b429b5aba57d6d61212d6d39e8e85e789e551e58a6f895037d53e0a |
\Windows\SysWOW64\omsecor.exe
| MD5 | 75e4e2b30776a266dfc95612f9f65cfc |
| SHA1 | 6bcf354dc6413f232a195a2d67b8bd8b6a4ab67a |
| SHA256 | 58ae4545f12b5c67ec4cf6e04ff11719ba73605cc847df0085e773525fe6c5e5 |
| SHA512 | 53ea840be63f2a0d2fac9dbf01324eafe81ea9ea419e720cb8493f49ea68b433cb8aa456d6bd4a50f450e7782eb0b27c41b8121c98eb9c7d7ff65b1f7ea9e41c |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e1e514cd1a47ea054571440cd501b379 |
| SHA1 | b59e07ee87e7cd4960899a6f8f1eee944df05c3b |
| SHA256 | c9400e7c843a5781d1aeb9647a019432be5c3ee1e4f0a981157fca11942ca90a |
| SHA512 | 8ce8f15595919bcaccc7104d554cd0f6d7106bb9a96d634c341a319733b6b47d3ebc340e6ea513f58e92ba591160e4f6e8777014fd4198416f8e957e62b67d1e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 08:11
Reported
2024-05-22 08:13
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4644 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4644 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4644 wrote to memory of 4968 | N/A | C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4968 wrote to memory of 4972 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4968 wrote to memory of 4972 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4968 wrote to memory of 4972 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe
"C:\Users\Admin\AppData\Local\Temp\d726a02838b1ea97c309055f6c8e6cf51cbcc3dee07f53646682e5eb52bf8f17.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a5e33943d8064b6db399cf7534bd65cd |
| SHA1 | 6dcb38fbb2e35153fe016598d6ef675b038db71e |
| SHA256 | 48176186f82671f61df941d889671dd5578bafc160a5fb23d633dd88421a61bf |
| SHA512 | c7d3962af2836b7915b5e73f7ba5678e5aacae1ba37c5f711e474549638300aa58ba195b7b429b5aba57d6d61212d6d39e8e85e789e551e58a6f895037d53e0a |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | cc88e75dc8893ebd1ac3549f3d0b48a5 |
| SHA1 | b44d70ffbb38f2fd76a754cd8c3c19dff75c2a16 |
| SHA256 | 948d570b0d366083ce368ee8462feac9699cc98dde6d0e7bd9adde051d6bc93b |
| SHA512 | 26cd87873149ffc50e04feee1192f477c66f3f6a36aff9f631e57c864a4cf1ce0812fa9400d753cf3214bc1a030824ca8932f1ef30c1c94b237e4486088ab92d |