Analysis Overview
SHA256
2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc
Threat Level: Known bad
The file 2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 12:59
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 12:59
Reported
2024-05-22 13:10
Platform
win7-20240221-en
Max time kernel
121s
Max time network
132s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe
"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 789ad43d132970e75072f253d64cdb36 |
| SHA1 | 751ff2ab4d73974572d51801a61f850e87fac667 |
| SHA256 | ff4d1339f4d57b667cfcb22d5beb40359040cf6c93d3aea49e3cf28f66e9fa3b |
| SHA512 | 7fd2db8619ff7c68b91486e6659f1af8c2630836dcaa128abc62537b7c1973a96138e1bcbe9a4fbed3258ae243a0e555054682f486153cce7de5580e17078c47 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 690f57dda96115c4ff3d02ec2e5730b8 |
| SHA1 | 20d611651f8012155acfff5fa851130b976901a6 |
| SHA256 | abaf0adf5991806b8598f0014af6cb76683f21314563fd44e722a32974e2df06 |
| SHA512 | 90a8c0a668da0bc4aa60f8207d970685e0c64c7ee177ad393e38ea6ecb7dd44021dd326d6185114c9c385a250ad78f55e1ffb6c9f8e872665e179498f6460b3d |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6f5a59952b81e38aadcc76fc3330e560 |
| SHA1 | 805ed50dd8e605b59bfe42befd35a39ac9e17984 |
| SHA256 | e217011271b6a2d952ff098ef667d66c78bca94dab92efd85e9c8b28ab6250ef |
| SHA512 | 5ad477451a709908eadd4cbbdbff07cc66adc4ffce822f349f52512cef848030f323fae424617def89f455dd804ed3ccce427f7f0d0aba91865af07a39287bd0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 12:59
Reported
2024-05-22 13:10
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe
"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 789ad43d132970e75072f253d64cdb36 |
| SHA1 | 751ff2ab4d73974572d51801a61f850e87fac667 |
| SHA256 | ff4d1339f4d57b667cfcb22d5beb40359040cf6c93d3aea49e3cf28f66e9fa3b |
| SHA512 | 7fd2db8619ff7c68b91486e6659f1af8c2630836dcaa128abc62537b7c1973a96138e1bcbe9a4fbed3258ae243a0e555054682f486153cce7de5580e17078c47 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | baf509331a58dacb0b0fa2d47ea79852 |
| SHA1 | b03fe91ff77881f8673ff4ef46a4cbf2a3472d24 |
| SHA256 | 04bb9a0f1fb63173c7f81e62dd35cb138f1a615c5cfab9673657e38026e5fb06 |
| SHA512 | d70cc4ab7d5688bed7df83aaf22d1514afb55503bfbf2af3bd3dd78b2210b7b3f1de8fa17e979c23c6348a5d58657ba102c4513da410a419bc4132d8168dab39 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4955cfa618bc3e0428aa155c997172fd |
| SHA1 | d25df9282a6846989bb9f4b8b508d2aabdd991d7 |
| SHA256 | 5a2a40505df0271ff5bdc5d7c1691bca676adbe14418e2596b6c8cd44448b5b8 |
| SHA512 | d5d788fabc9a3bf23aae75395cdb08e92e90cd4294ae8f017c604cc014cbeb783338f3c59c4b142c5a4293343530183d39035128bf30fa10d006455708390bcc |