Analysis Overview
SHA256
071c8c44d199a1779ca9ec92e778c4e5b5fb0f62d08e319342b0ce4a05adb1d6
Threat Level: Known bad
The file 071c8c44d199a1779ca9ec92e778c4e5b5fb0f62d08e319342b0ce4a05adb1d6 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 20:57
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 20:53
Reported
2024-06-09 21:02
Platform
win7-20240215-en
Max time kernel
86s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\071c8c44d199a1779ca9ec92e778c4e5b5fb0f62d08e319342b0ce4a05adb1d6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\071c8c44d199a1779ca9ec92e778c4e5b5fb0f62d08e319342b0ce4a05adb1d6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\071c8c44d199a1779ca9ec92e778c4e5b5fb0f62d08e319342b0ce4a05adb1d6.exe
"C:\Users\Admin\AppData\Local\Temp\071c8c44d199a1779ca9ec92e778c4e5b5fb0f62d08e319342b0ce4a05adb1d6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 57ad188e1d7ac03b06d400422221e3af |
| SHA1 | 1f0f00ab5fedf59b95e39b19fa1764f2a4ea6cba |
| SHA256 | e367df5392175fe0063adf8d87bbb8f9cf387da16c2b3c0691fbaf24f86411d5 |
| SHA512 | 04a5e110a02781ad982788634a41938320db5f66f917f88ed26575909da8b53452f3e77b43bfd039d4ade0046d6a9ee093223aec80fbc142ef66206fecf40b76 |
\Windows\SysWOW64\omsecor.exe
| MD5 | e19d0d528cfa19c32fe5bc86e7e5a4d0 |
| SHA1 | b1b1ef1e75d09c194d78e18a2c6200c38558ae4d |
| SHA256 | 473c2adf3e6149a332848013439804ca7c8df109c0ec3eb7fb9744c013a29ef8 |
| SHA512 | dd7ae96865c1e178a5d8da7b167a9bafe57981bdf588c54987823af729a94d39507b4663b50b675258d54f0e97296ae6c4c443fb970673caeebbb702ae3d4269 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | be3d469b16843ca5ad47fcca4ba5958c |
| SHA1 | 8c5ff39ac053a464e139f36a0edca37820fa6ec3 |
| SHA256 | 03b74ce607fada8b849c79a779f12dc81a1cfcc64742f11e196d8abd47c73866 |
| SHA512 | 2368472af0412a64e9cdc0ea5dbca23d9f850613c78288becd99d327dd85d2944ea2056ae786b30e4147f6639b40d354db2805503840927e3f51ab0de4deda7a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 20:53
Reported
2024-06-09 21:12
Platform
win10v2004-20240226-en
Max time kernel
98s
Max time network
157s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\071c8c44d199a1779ca9ec92e778c4e5b5fb0f62d08e319342b0ce4a05adb1d6.exe
"C:\Users\Admin\AppData\Local\Temp\071c8c44d199a1779ca9ec92e778c4e5b5fb0f62d08e319342b0ce4a05adb1d6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 57ad188e1d7ac03b06d400422221e3af |
| SHA1 | 1f0f00ab5fedf59b95e39b19fa1764f2a4ea6cba |
| SHA256 | e367df5392175fe0063adf8d87bbb8f9cf387da16c2b3c0691fbaf24f86411d5 |
| SHA512 | 04a5e110a02781ad982788634a41938320db5f66f917f88ed26575909da8b53452f3e77b43bfd039d4ade0046d6a9ee093223aec80fbc142ef66206fecf40b76 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 3eabe0746ad4bc0e566e30f06615650a |
| SHA1 | cc66fdbb2f8fef75049bed6fa2876e65b3d18f93 |
| SHA256 | 1a6073620dd3ffbde07797f8128dc12c2b6703447bfb787f5586e2097350a275 |
| SHA512 | 829f6775954183f690544d1552eb6727ed09513a73b3a445d2d011ceb591f79cdd8849562e17d86b1c140a56696bab13979482adf4ee039bb917515604c628d7 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | efcfad30111e2210db6ba75e69fc8a67 |
| SHA1 | 7bfe4d4c861b531c8b7a9f8fe562af5e0141764c |
| SHA256 | 811f2babcda02dc9b41ad913122502b003826ada1046cca51734afcc031f4d71 |
| SHA512 | 820e927f43de58aa468c7c2ed4b62fdb0e1a30a02ba35c0787e482b191981ec43e5f308fc8ebb851116db091edef935cd10db7bf406c0316b62c40ff07d7de68 |