Analysis Overview
SHA256
0b59a512c07f69ec8c8637d052cc805467cb9ed363b70fbb044111b6bd90e037
Threat Level: Known bad
The file 0b59a512c07f69ec8c8637d052cc805467cb9ed363b70fbb044111b6bd90e037 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-08 18:47
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 18:47
Reported
2024-06-08 18:59
Platform
win7-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b59a512c07f69ec8c8637d052cc805467cb9ed363b70fbb044111b6bd90e037.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b59a512c07f69ec8c8637d052cc805467cb9ed363b70fbb044111b6bd90e037.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b59a512c07f69ec8c8637d052cc805467cb9ed363b70fbb044111b6bd90e037.exe
"C:\Users\Admin\AppData\Local\Temp\0b59a512c07f69ec8c8637d052cc805467cb9ed363b70fbb044111b6bd90e037.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7cb6ee44d59d03a7e8ac45a05f294aec |
| SHA1 | 9f42ae863b74b5c0889728132c42df0432c2c02d |
| SHA256 | 0b5f1d2ce29116e681a9a1359d6db9422ed499b10a63ee014a149db878c1d8ad |
| SHA512 | 7c8ad067c8b4d3e961ac836f46e7aac8d47f746ec3b168416101d44639a69e706167511ff699fc99987167328122a3b4b3659fdf3f283eea77de86506bf38dee |
\Windows\SysWOW64\omsecor.exe
| MD5 | adc856a2c6dc0c14d25ad091ca2d060a |
| SHA1 | 5cab27bc31c4f17096c247b5819816666d1f51eb |
| SHA256 | 6989ebe2fa867b30f797757d738bb790a6cd8349388caf01dc2a9121ddf71019 |
| SHA512 | 3b01339d35ccc217b6fd58cd0bf1826147bb1ff8147145d493e339c28ecd5faf34cb6c7edd400bf58b697ebd7cc51b236e315392c4d4b1157734045410600503 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2220258e23e2584cf850038ae0bd4ed6 |
| SHA1 | 56f4347d6f1ff05f66df356044a2be5f59ff6f4e |
| SHA256 | 04b13d0a81b5cef10670096cf55018d240454533fecf17cd474dd69b96ef66a5 |
| SHA512 | 8d205f0b94dd3644a9cc8bf4774bcdb77599b043493618e0c49ee259c174d1bb82d07a8682c941143c0d004101811a8f9389b50c3d50d1dde8821b0220399d37 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 18:47
Reported
2024-06-08 18:59
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b59a512c07f69ec8c8637d052cc805467cb9ed363b70fbb044111b6bd90e037.exe
"C:\Users\Admin\AppData\Local\Temp\0b59a512c07f69ec8c8637d052cc805467cb9ed363b70fbb044111b6bd90e037.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7cb6ee44d59d03a7e8ac45a05f294aec |
| SHA1 | 9f42ae863b74b5c0889728132c42df0432c2c02d |
| SHA256 | 0b5f1d2ce29116e681a9a1359d6db9422ed499b10a63ee014a149db878c1d8ad |
| SHA512 | 7c8ad067c8b4d3e961ac836f46e7aac8d47f746ec3b168416101d44639a69e706167511ff699fc99987167328122a3b4b3659fdf3f283eea77de86506bf38dee |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d6b406b9ea5f47d2047c801dcff9dadf |
| SHA1 | 9c6b65f3c760ebe503c4802997bf9535bdeebbf1 |
| SHA256 | 60668113bcbba06b4e1989bfe068ca8df048058cdf4fa9f3afa3f8c99848380e |
| SHA512 | 908e2c2409465556e8a110df86d817c35d6683e0e10d7104d37a82ade2ccc3d2f79d36a3b937c2a005aacf400bd0f3e2564478cbcb7cb4a066f707f4ec2baca1 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4d064413375039c4c3eeba2786b4f8ed |
| SHA1 | 0f5b614495943b09e62b4d6bbf37cbbb0ae04dcc |
| SHA256 | f47c88c46642559f23acd86656ac25ba19a10e0284db0d32abc0afee36c2a323 |
| SHA512 | ebcf64ced91df862f4a9e171dd57370a2292f9d6665bdce4084b31a281e02d02d665a30f5210c328282e0b0793d0a6df1151895665fb2e18657e07bac7425b82 |