Analysis Overview
SHA256
8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d
Threat Level: Known bad
The file 8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 21:17
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 21:17
Reported
2024-05-23 21:19
Platform
win7-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe
"C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2176-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6797ac655c89deea5493cb7d5a5f4d6e |
| SHA1 | 00f8c6819c8a90f8ee4f5e791ecb87197e81ea11 |
| SHA256 | 99bbbc78b49e108b7afea1e0c903d0d4774d92669456e58f033e9e416b991271 |
| SHA512 | 2612428d2a4ef1e171543cd84d91341ca0d0effcfd06b8354d07aebb4a2fb4055a111c890246ed06258c2ac8c82cf784779b3f93273ccb92a33fad0755cff488 |
memory/2176-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/848-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/848-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 3b18cc3eb7d0a6c1a610d3fc8e1b8ece |
| SHA1 | b238a0fbc28ed28901baa1cab8a59fadec1d6828 |
| SHA256 | 78bfe5e1215159b42f641f5024c5a6b4323ff5a9f656f06ecf1d05fff2fad35b |
| SHA512 | c15601d7182e67b88ec24754971c9d03c56d506413eb06a413d808733408aa471f78b0be0fda8e8972be10ad9c4e34cc094b432c85ec0071095e6b01a3353fb1 |
memory/848-17-0x0000000000390000-0x00000000003BA000-memory.dmp
memory/848-23-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1716-35-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aabc8b785b48dd0ca353df2f5ac1459b |
| SHA1 | dbbcf22a9451313ec27d4aba11802cfd8aa1bae0 |
| SHA256 | 635e7ebd0e8a28a153dd70a349b9c058399f35d3ce453fe1e9ad072387ede6ae |
| SHA512 | 9f25f6b6e203235c357b94f360961148e2534423228fc0c3f6c0efd496eac2c3fb16e4f411e50c394f3f8cdeb6463aaceceac11f7196d27394588f589771ae93 |
memory/3036-33-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1716-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 21:17
Reported
2024-05-23 21:20
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4888 wrote to memory of 4004 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4888 wrote to memory of 4004 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4888 wrote to memory of 4004 | N/A | C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4004 wrote to memory of 3180 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4004 wrote to memory of 3180 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4004 wrote to memory of 3180 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe
"C:\Users\Admin\AppData\Local\Temp\8b9b4d3c1585b27dace4029dca8f59a00d6462ca2ed404fa02ffdbb379cbdb5d.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.138.73.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
Files
memory/4888-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6797ac655c89deea5493cb7d5a5f4d6e |
| SHA1 | 00f8c6819c8a90f8ee4f5e791ecb87197e81ea11 |
| SHA256 | 99bbbc78b49e108b7afea1e0c903d0d4774d92669456e58f033e9e416b991271 |
| SHA512 | 2612428d2a4ef1e171543cd84d91341ca0d0effcfd06b8354d07aebb4a2fb4055a111c890246ed06258c2ac8c82cf784779b3f93273ccb92a33fad0755cff488 |
memory/4004-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4888-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4004-7-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3180-11-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 3937c43beb91517c9a18be48baebce47 |
| SHA1 | 4249ffe9811610250ae1c9ed57b2ced4da483d89 |
| SHA256 | 33c76664958ea31b53430be1d99b037b8070ab5bd9e614d7c99f35765e7bf23e |
| SHA512 | e715f597fe66d9244cb87a4aec2df0e41de8a903f8d3bf2a1601a0bc66c4293af112fe99b8329894c0750eecf6e06c8d62a6d71cd120643d4288afc8cebfbdd6 |
memory/4004-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3180-14-0x0000000000400000-0x000000000042A000-memory.dmp