Analysis Overview
SHA256
4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246
Threat Level: Known bad
The file 4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:26
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:26
Reported
2024-05-22 21:28
Platform
win7-20231129-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe
"C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a6b7e5317adbf83ff7f1b88f3d1d84c7 |
| SHA1 | 34c3715e44b025ea9fd664f7ba143733bce3567b |
| SHA256 | 3d28316449842df8890b08eb56896b497c34e03acfa5c6ebb54bcbb365676ac2 |
| SHA512 | 8efa65b6eaee72cc24cf449a097f1c94ed77f318f6c54db5f3c8a35c22082ec3e8728f8dd257d86aad65ffb91656945438b08bd1ea755f8cb2ba4dbc765ee8b9 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 6564ff4482858cce97a8e2208961153d |
| SHA1 | 29135529e1a5820216cfc53823510a4a722a3bbe |
| SHA256 | bed52e505c5fecb36bf27e8a8b2c329d4e79ed545e1be66982691fb9fc5f3e08 |
| SHA512 | 38bd74a54fbab6a3c4ea2e14421e38e18a3eb6bde1bf141582da2e1f558cac290064b9778232f7c6d3e1ea916076039f8aa47b526a902850ff23b7ee22a7c19d |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4d694295edad130bc62a774b26c88179 |
| SHA1 | 24a0f7e859faacb7a6ad9c10b4543aba8d27af39 |
| SHA256 | 6b1a19367d2b69835c238ace80523917dc2625cb450153ef7dddf1bde93062e8 |
| SHA512 | 0c19c945291179151d7c645297da9a5b09ed6365443a91f56165ececf1640474e48f462b22179b49634155d60dc947b15b4da6d687ade0aac9992f1b52019bb5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:26
Reported
2024-05-22 21:28
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe
"C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 242.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a6b7e5317adbf83ff7f1b88f3d1d84c7 |
| SHA1 | 34c3715e44b025ea9fd664f7ba143733bce3567b |
| SHA256 | 3d28316449842df8890b08eb56896b497c34e03acfa5c6ebb54bcbb365676ac2 |
| SHA512 | 8efa65b6eaee72cc24cf449a097f1c94ed77f318f6c54db5f3c8a35c22082ec3e8728f8dd257d86aad65ffb91656945438b08bd1ea755f8cb2ba4dbc765ee8b9 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7910f00e2e12939cb24dcd2e44b7092f |
| SHA1 | cabef0aad495f04a0851ef21b4f301bccbfcae3c |
| SHA256 | a75ed25853a5fb3b3a20e0d36e851588d53aa4608e610d4b5370c03a7935f0be |
| SHA512 | 0f92d7fe0aa3c0f4de41d86eefba395132bf0f81bcb22ad6b6846aa6a150d4dd4d9ac76265e43477f3ba526ac734ac1bc76117e20450f04d9e91dbe2c56266ce |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | eb64cec590d85c81bfc6206ccce3fc03 |
| SHA1 | b86a499642fd8c7c7f34aa31c2bd4afa6b5a411f |
| SHA256 | 2be629b3877694571cfc71ee2e1bc2b4ab469fe4c3bb0f2922ff17ab95c04e42 |
| SHA512 | 8a37e1c97cae175420ecab7f6237bd040966b7a1321ca904a79ca48906dc65e3a812388f77c40712e7321c769c1c7cdb3a6ae21453d54424e6b22edb9b2c3c91 |