Analysis Overview
SHA256
bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906
Threat Level: Known bad
The file bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-24 02:35
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 02:35
Reported
2024-05-24 02:37
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe
"C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2416-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 72c30eb34929a48e7bb33c1e5c04c70f |
| SHA1 | 2bd989cc9f0b2f5eb95f5af3b72c67a36d3bb2bb |
| SHA256 | 8f5fa24f8315ba65815157336aa96b68e8a4fe466008a3e2cd64404cdbf1057b |
| SHA512 | 0ebe8925aec9544005f01f39974e21bfc1bd9c768eb1cc2264c3148429926c14e79ff1e7bf0c60132219550d7721af0a403fb42f12327f8e46ec5aeaa723578f |
memory/2416-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2204-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2204-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | f2acdc0e1180089e8a3c1e3d4a2740e1 |
| SHA1 | ef9f4528173737ce7a29651b5a6591d178e5a0cb |
| SHA256 | 408198786f2fa39264959365bfda801a6054433736491d86ab67f6fc74eed6ab |
| SHA512 | f7b8dac6379621f1d0e920a13938e557278ed3398fc35eaee2c47e23d216025f1b9bf360a586992a66214cb4009d36e75b156e891e889866ab871a2e444a2061 |
memory/2204-17-0x0000000001F30000-0x0000000001F5B000-memory.dmp
memory/2204-23-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b565bc548ba11a163662247fa2aaed98 |
| SHA1 | bf303e02076ebd82164bd5bbc0de4637c33215e6 |
| SHA256 | 5dcc4b5351a89b2a18b06bbb53a09a5c4da0081b880945aa11a8559816c8ce65 |
| SHA512 | 631df2eccdb0c575b1481507959ce6a3ce7fe1be82ce945b70dc6bef483acff265edb1dd45fb2fc3aea9e3175343482483aa8c935d3ff65c80a92543a7d6861d |
memory/3036-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2612-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2612-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 02:35
Reported
2024-05-24 02:37
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4504 wrote to memory of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4504 wrote to memory of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4504 wrote to memory of 1232 | N/A | C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1232 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1232 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1232 wrote to memory of 1480 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe
"C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
memory/4504-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 72c30eb34929a48e7bb33c1e5c04c70f |
| SHA1 | 2bd989cc9f0b2f5eb95f5af3b72c67a36d3bb2bb |
| SHA256 | 8f5fa24f8315ba65815157336aa96b68e8a4fe466008a3e2cd64404cdbf1057b |
| SHA512 | 0ebe8925aec9544005f01f39974e21bfc1bd9c768eb1cc2264c3148429926c14e79ff1e7bf0c60132219550d7721af0a403fb42f12327f8e46ec5aeaa723578f |
memory/4504-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1232-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1232-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 8fdb6d6df67db6c4d02e79468b3df32e |
| SHA1 | 189824084d5c1c91da1bea569fe94d86e4408485 |
| SHA256 | a77a01e8237d9f76c1609aa55d3f36caa6291a3cf9ea84876183db83ffd23c2c |
| SHA512 | d78f6aa589e79d8be8bd26c523addc404abbe3fb216ede08a692e29037be78dfff13fafd74be1169730e903a7d8720399ef187c8fda868e13b5ec80d16044228 |
memory/1232-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1480-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1480-14-0x0000000000400000-0x000000000042B000-memory.dmp