Analysis Overview
SHA256
84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880
Threat Level: Known bad
The file 84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 03:41
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 03:41
Reported
2024-06-09 03:44
Platform
win7-20240215-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe
"C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cd34a7b180bc9d2d70c78d096e4addb8 |
| SHA1 | bc28dd6f224cc1680b8a7304d73ae77b36676867 |
| SHA256 | d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158 |
| SHA512 | 3474ab4a44db8066734f57c348b3d9328ef024697a7e40ed8243c4d056cef250d225260ab5df4281805da72db37181e7502b5515e06245c1bd14efdd141890af |
\Windows\SysWOW64\omsecor.exe
| MD5 | 0115bb1d512186abc5ef6056c5953670 |
| SHA1 | 208cbff0914ba89b02788ed808a5eb6eff873da3 |
| SHA256 | e16718e837f07c9178fb90cbfd121613c6f4ee1538acbde53edfed153ea226ca |
| SHA512 | 711c2f5ba051628df61c8c780cad0c93e7bba807f2db55d6ef087d6551ce69c6b81b6c4a4db8bbf257e23c1ed596482e73ab38b7eabe7b8e4b3a01b4538baa24 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7959b597282b91fcae967e4ba43fa338 |
| SHA1 | be74b4f002834cf986ad73694b9a623331511709 |
| SHA256 | 1d2920245831e3c1834fd2ea334a08da2b56f62c1ef3d0cf8ed64ecb4bbd22eb |
| SHA512 | 84c5957dbb6608db2dfd32c390489bb42df02d0eacae9a0c7380d8e6186d77b08741b05660c5d612dd2f21e563e909f4372b323df5c16c5ce6c92f26345661f4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 03:41
Reported
2024-06-09 03:44
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3836 wrote to memory of 4468 | N/A | C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3836 wrote to memory of 4468 | N/A | C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3836 wrote to memory of 4468 | N/A | C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4468 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4468 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4468 wrote to memory of 4012 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe
"C:\Users\Admin\AppData\Local\Temp\84b72edaca20b6e15da980233756e3bb151cc772209ebdd1236d07179f1b3880.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cd34a7b180bc9d2d70c78d096e4addb8 |
| SHA1 | bc28dd6f224cc1680b8a7304d73ae77b36676867 |
| SHA256 | d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158 |
| SHA512 | 3474ab4a44db8066734f57c348b3d9328ef024697a7e40ed8243c4d056cef250d225260ab5df4281805da72db37181e7502b5515e06245c1bd14efdd141890af |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | e5ad19d6ee79324c200127fc64c75ac5 |
| SHA1 | 4f5ae890ba1a1cbfb5a8c311d64785693b70a520 |
| SHA256 | 7f8106b7f500ac54311a5d225709b900ac1038671343658ea52788790feeb5e4 |
| SHA512 | f9a5dc0be3810834898419356bcd6dc136b21114dd2a648280066ff5cbfc3fab4f75bf5fe7d55dbddfb31210a5801216622b8a805b5d8a1559da905c36f9349d |