Analysis Overview
SHA256
50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce
Threat Level: Known bad
The file 50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-08 23:18
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 23:18
Reported
2024-06-08 23:30
Platform
win7-20231129-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe
"C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/836-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2e3a04c7437f52b16f134cf7a56f2961 |
| SHA1 | bc2dc3ce8cbae3f2625c4dea1b12f81468f5c3a1 |
| SHA256 | 16eecd31e364d097bac9c975f13f6163b2a80cf251364561a6c1cab33ee10db0 |
| SHA512 | 2db0788feb00a4170d7cb080b5677c5fa7baa19dc1d8ca624cd85de200452a06f86592eec3e061c81bc278f4e4528847c40c877430d4d0b7da2d45dba04b8c62 |
memory/836-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2328-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2328-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 7efd26ec4108afa01250afd06d682c3d |
| SHA1 | 44ff2eff77391e73eba0c8cb74da133b89958ffb |
| SHA256 | feb7729122bbf01e151cdb2b9707df3edfcf34ce091f4cc54e1cb0c045fa623d |
| SHA512 | 51d2c2976fab4404d454ea5dcf3bae1d472d483d92e848adeb48f95469dbec9bf13c5c6a608cf15df35825b5803c0a69032c2e61e7171815233f510855c8d7cd |
memory/2328-17-0x0000000000430000-0x000000000045B000-memory.dmp
memory/2328-24-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2012-25-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 04ff573ba6d9fd30e5a5f9abcf496c18 |
| SHA1 | 87d29bf1c23c07be06698bc965fbeb3c736be88c |
| SHA256 | 3f1266d33a12b1d265026c21bd232edf25565714192187d88b0390ca93305941 |
| SHA512 | 0ccab192cf9cb28fab20a2802ff5d933c4bbdc57e1a95d4aa5ca7694f291d7350ab07bbf1fce8f0e6e2b9eef0f38e10d1cd49ac352961bd767f7234920754720 |
memory/1208-36-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2012-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1208-38-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 23:18
Reported
2024-06-08 23:30
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1448 wrote to memory of 5104 | N/A | C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1448 wrote to memory of 5104 | N/A | C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1448 wrote to memory of 5104 | N/A | C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5104 wrote to memory of 816 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 5104 wrote to memory of 816 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 5104 wrote to memory of 816 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe
"C:\Users\Admin\AppData\Local\Temp\50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1448-1-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2e3a04c7437f52b16f134cf7a56f2961 |
| SHA1 | bc2dc3ce8cbae3f2625c4dea1b12f81468f5c3a1 |
| SHA256 | 16eecd31e364d097bac9c975f13f6163b2a80cf251364561a6c1cab33ee10db0 |
| SHA512 | 2db0788feb00a4170d7cb080b5677c5fa7baa19dc1d8ca624cd85de200452a06f86592eec3e061c81bc278f4e4528847c40c877430d4d0b7da2d45dba04b8c62 |
memory/5104-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5104-6-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4a556c31348147f486aeb974128aaafb |
| SHA1 | 9177e7b4e3c7f0068418b0a9489cbe408becbc0d |
| SHA256 | eb4a836eb58e64d0c0adce053c304509df64ddc3b627009882579c80a1ef4bb6 |
| SHA512 | 399260c9be7c3ae9e5831584b0b1dbb4bb0a6c43f303bc4a99684ba0e01cc120d5b3a2847e7250be516ce0aea8d887a6d7573d022c302878463c4952f4115405 |
memory/816-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5104-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/816-13-0x0000000000400000-0x000000000042B000-memory.dmp