Analysis Overview
SHA256
551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590
Threat Level: Known bad
The file 551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-08 23:42
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 23:41
Reported
2024-06-08 23:45
Platform
win7-20240221-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe
"C:\Users\Admin\AppData\Local\Temp\551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0d494bca09c9f46732ff362190869edb |
| SHA1 | c91adb2267aa83be8899676c7c6e8838ab2fc3ac |
| SHA256 | bc75036d6188bda2652c95899b7d0dcde75288c32bfa8c2b889ccdaa75c5d683 |
| SHA512 | 308acf15821e728ebb0c4424a00af8cb87c1aa7dbd62d5ef88094adef60f511c23937791548d0383218772ccb869abaa4f2818ce62b1d1b8fef59a137055b997 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 23c933cf80b75eb3116522090f156619 |
| SHA1 | d872f50168c4be8d59ae0d50e0a751256a56e860 |
| SHA256 | 8d5df01760e3ae3f25781a72da49d107016e3e07259259b25cbf63430a9a9a9b |
| SHA512 | 3eac0a006c0551066db0307770f3057fc1ca9c80fa5d31c2c8abbc2d15bdb40070c386bbf2990b14ccdb76540dd965c6988db5dfad545586b09fec778b914d1f |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aa1ec4f27698755421dac3f4c9cdde28 |
| SHA1 | 39d1159238b0f63fa83c20905c0e8e31eee45e94 |
| SHA256 | cba22ab0f93b3f9e891a70850d782f7fcea1bf235ba39779d482c40880b503bc |
| SHA512 | 993239eb99f4377623c736feb0d09adc8005dd6e9e86418d6363c1e51e6cf917bcba05c754f2c396aeef9286f1d11805cec79b0cf6a54b9613c095741e4c7da8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 23:41
Reported
2024-06-08 23:45
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe
"C:\Users\Admin\AppData\Local\Temp\551cb43b20711132594a5b9dd550eb7d3718d0ac9ac3b9e998ddc5a5246d2590.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0d494bca09c9f46732ff362190869edb |
| SHA1 | c91adb2267aa83be8899676c7c6e8838ab2fc3ac |
| SHA256 | bc75036d6188bda2652c95899b7d0dcde75288c32bfa8c2b889ccdaa75c5d683 |
| SHA512 | 308acf15821e728ebb0c4424a00af8cb87c1aa7dbd62d5ef88094adef60f511c23937791548d0383218772ccb869abaa4f2818ce62b1d1b8fef59a137055b997 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5eb2c280c34c7b26e831c58e5c30779a |
| SHA1 | 62e6021e20537f4b26b40137c23ce1272580df16 |
| SHA256 | d3afbadd164106a0e593b3f9366c9399cd994e05b53a5d214ce902c6a9eda45a |
| SHA512 | 02f66545979c01b9bbc3fd6bb282f06502fbc8646a1a8d3b7f6f7192bf411a7deccca7f26fc24013df1aa3e70ef5ac3e728f94cd01026ddfafabe3972d41c256 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 02b562414894aa371d73a0e08de9b88a |
| SHA1 | aa030d7a44f8c75e223fda8487f8a3913fd54acb |
| SHA256 | 33313c1aff8abecadf80db2b38d784f5ad6e769514f7b23061d9416b904c4206 |
| SHA512 | f291be111e8e4513c3a574cb94011f6775fcab93195a55d4aa2a0ce976e0d52e7db9ea1efdd6a15e66ea0985c74e11111c6a0ae42f73c34d3350d1409beb7328 |