Analysis Overview
SHA256
b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6
Threat Level: Known bad
The file b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 02:19
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 02:19
Reported
2024-05-23 02:22
Platform
win7-20240215-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe
"C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f387b544f8bfbcf11c9ee8cefc9b256e |
| SHA1 | 59a2bc3032b44e93b3eea3f73f706280e2db22b7 |
| SHA256 | 0297917b646e11270e4478c1da4df711cfa5f4ef98a6aa36f540b65390957557 |
| SHA512 | bd66feb2da8929252da9d5b1c33864831fbbccc959bb008301729d145c603eac554a22de28298224e64ecf1e89326187305aa0da5de212c6dfefdc141a72467f |
\Windows\SysWOW64\omsecor.exe
| MD5 | d3ed945f8d2057e870c008c8f5d327bf |
| SHA1 | 44a74efb7db0fb284ae0089e6e2f0e00dc83b5b0 |
| SHA256 | b81271fcd44422fc9070d5ecd55e9c3a5b1430d210e92be1381bb3c50f12e309 |
| SHA512 | 88be84f8d4bf665104e93b939c2169f22dc438c44cf996e630093ffa186c354706748d674efb659bb9bbc2727a47cc2cb9f86504479d7ad6f862d3ea238f46ec |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 785f64ec1d981940a88b71b632e63a00 |
| SHA1 | db7dade7a73011e121edaa471c39a0b41219d64b |
| SHA256 | 26b276ad60fb03f9c15cfcd7d8f55b2aefc5121f7bebcee0d30459be3003c482 |
| SHA512 | 1259e0810a85e1fe38cde6ed6de0ee39315ee8d289d4c067b0ce94ebe41e4aaa7cf8617b67282324a8ca8127744aba57740364a63dfe527532ea2ef4559fab70 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 02:19
Reported
2024-05-23 02:22
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe
"C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f387b544f8bfbcf11c9ee8cefc9b256e |
| SHA1 | 59a2bc3032b44e93b3eea3f73f706280e2db22b7 |
| SHA256 | 0297917b646e11270e4478c1da4df711cfa5f4ef98a6aa36f540b65390957557 |
| SHA512 | bd66feb2da8929252da9d5b1c33864831fbbccc959bb008301729d145c603eac554a22de28298224e64ecf1e89326187305aa0da5de212c6dfefdc141a72467f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b70cabf61a95dc58b1bb7906b54de825 |
| SHA1 | bd014ff82b691e5545ed0cbb672404cbf3a74f2a |
| SHA256 | d376d9ef9c363c1c2e68bb134f8f00da84da6afc2b7d0e9936290c08829db86a |
| SHA512 | 1cc89e80883e194c4e56c455c9903ba87c23d648c037db4ad300b59bd45d521b6b2aca55e90c8d69be3b6952736120dd889bdcf497c8555f7bdf5d83a947131b |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e96d4934f0ad4720210b5a7dfabbc2e7 |
| SHA1 | f8930f5af3c6e38a9ab5919a0940a954d57a827e |
| SHA256 | 7e486b9b1387e8f30d3fbe8c24e517d3926cd7297aaa6da9c2fc1b1f864b36cc |
| SHA512 | e84cb7a546412315168051a18290e8c81260b048f86c59db60bb029bb82f38187e1f202e5799534ce72380984a924dc512493efe8793702eb01efdfd68be0229 |