Analysis Overview
SHA256
d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158
Threat Level: Known bad
The file d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 10:47
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 10:47
Reported
2024-06-09 10:50
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe
"C:\Users\Admin\AppData\Local\Temp\d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fb1f219782a642c767a805bc122b018c |
| SHA1 | d57f4b2db148139254d797d0f65d46a409ddff81 |
| SHA256 | 46c62020da2d9ff8b2ac5dc0c93b9abf5ece2cb386533195f6e17b6bedf33d9a |
| SHA512 | 53705c4552747ed886d55be6ce24e31baf669e82e833faaeed0e36db7dedd9372dc72399654e1899353b755c99870164cda8d5d925cd1d4ee5a9451405c44da0 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | c1f85589d82d61bf9921e7fcf6f65508 |
| SHA1 | 328cea658bd70e228ac896dd65bee9f69e1726bf |
| SHA256 | f2e0d44daacc249118ecb1076730476c724decc3184f722fa01bfa672775915a |
| SHA512 | bceeb480a6e2f6c290a1aa01b76e97ec97a93d70f0ba3ad6f8954c329c61b36c1526f35f73ca86bf4b851b6444e375f3e74d206f2faef2a8fd044646af45dd52 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 24c9b2049ce901b171f2f6d549f8c450 |
| SHA1 | 1cc6bc4032c8fcd963f1ce6f7c24bbeacebbbee0 |
| SHA256 | 7d67ab611aaeafb6edbaca39ae6472b935d1938dcfba6520865adbd35fee15f0 |
| SHA512 | f439f5d71db8f2cf2227bf7cb36e5550bf0e571e59090df948704a7100432cfe70c0cff83129f557b3fc7805b70bf09aaeb8de6ea05a7ce136debba1b5158d4f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 10:47
Reported
2024-06-09 10:50
Platform
win7-20240221-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe
"C:\Users\Admin\AppData\Local\Temp\d4e8a6ec2fde6198aa5d419fe5dbbb1c1ffae952d4827256fc7ea0411dfea158.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fb1f219782a642c767a805bc122b018c |
| SHA1 | d57f4b2db148139254d797d0f65d46a409ddff81 |
| SHA256 | 46c62020da2d9ff8b2ac5dc0c93b9abf5ece2cb386533195f6e17b6bedf33d9a |
| SHA512 | 53705c4552747ed886d55be6ce24e31baf669e82e833faaeed0e36db7dedd9372dc72399654e1899353b755c99870164cda8d5d925cd1d4ee5a9451405c44da0 |
\Windows\SysWOW64\omsecor.exe
| MD5 | e8fe8ae30aa336ccd37f797412eb2d44 |
| SHA1 | c67dc00e6fc4d3a26cc4d593b624d1572e968bd5 |
| SHA256 | 7d7f2d573450922cbcff3ed5be4a70b0693f32d15e36232e965e8a37ee716ceb |
| SHA512 | 13704145aae19f7e0806a61c819b0e50cd2b19d4ee0406429c9a8612a03085a7e34eaa1648feb53e03d71a35f56dee8196f31bf550446ab5070fb61c7735de1d |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 03102236ab478cb4b2e480eeb576d856 |
| SHA1 | 76e832217fd76c19949f31014625dca8db28f50e |
| SHA256 | 06ccaaefb60df0e79b8e6bbdf06450dd265abc83734d51cd7d474c5941bd9ecf |
| SHA512 | 338de4c61ce3f40fd456fe89d7abccb59631156d289a5c67302fccd9494211be2cc84c8d648360faacf9a9052bf71424c6458660df4b216dc48c98ba72f2b1b4 |