Analysis Overview
SHA256
290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1
Threat Level: Known bad
The file 290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:53
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:52
Reported
2024-06-10 04:56
Platform
win7-20231129-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe
"C:\Users\Admin\AppData\Local\Temp\290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d7550bbbf87c0a2b62ea71b8121412d2 |
| SHA1 | 09b1999812e5df3c5f61453924d39089d553bd24 |
| SHA256 | 20431ee18dde0ce45a445f734f0cff53f218f4bbc4f4317f066327bd35fa7aa4 |
| SHA512 | a65f5716059e07562bd6f46a3f540f888dfebdfb63b2aa4496491747509b04c901a1bf57d92cb65c9125fba89f3dfb6ed9074c8bdd0f36500da1bf7dc85d7bf4 |
\Windows\SysWOW64\omsecor.exe
| MD5 | cad5647ead1197c8e60460e67505397d |
| SHA1 | 55f7125c02843509bc325845536a6105b3628029 |
| SHA256 | 8f38d98c8da4f7447eb3bc72100f3ec57b7e5e18462ad7cde83dff775b8fe48e |
| SHA512 | 24e856ee5ba70bfa818318ba05c5982b11b1c619da52cdba2411692bf58652818354fa209f8723015343d0eea6b19d96d5f995c2dd71d17eae29ff42dbf7175d |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | af7ad0425288fa34145b49be1ade7b92 |
| SHA1 | 6bf1d3682f61d4a9ea4a04e988bb9ca399fa3f00 |
| SHA256 | 2fbea802ab420d4a5145fe20662a025e057987d8343fe5772bb618b8a1f91b3e |
| SHA512 | b3d904071cfa426e32935a33204695f82b5a57c5916d37d0e0e5124514af7968b78d1cb63c21de1752d5f4773936a8c8f46bd2b7a02866029dd6079b95e7a2cd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:52
Reported
2024-06-10 04:56
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe
"C:\Users\Admin\AppData\Local\Temp\290714ed433f7e77c1d985f1232580a8928b149900450ca7a2831e092ea43dd1.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d7550bbbf87c0a2b62ea71b8121412d2 |
| SHA1 | 09b1999812e5df3c5f61453924d39089d553bd24 |
| SHA256 | 20431ee18dde0ce45a445f734f0cff53f218f4bbc4f4317f066327bd35fa7aa4 |
| SHA512 | a65f5716059e07562bd6f46a3f540f888dfebdfb63b2aa4496491747509b04c901a1bf57d92cb65c9125fba89f3dfb6ed9074c8bdd0f36500da1bf7dc85d7bf4 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 9763e7a73905592878cabf4f5ccd0521 |
| SHA1 | 7d2c855d8da30a1fbe96f355e2a06e8a5beb401c |
| SHA256 | 8c936d484b0881a5b1a086ee7773f43aaa05e50f22a95b41fdd42462b8ede4b4 |
| SHA512 | 480bfb0b205f02fcb53d9cd1ed36c7ef589630c7b5696ac9b0d0885bb81f437bcf35c93aba63e4e8993ab469b6bf53111bec3d5596af379bef68d74a2340c9cb |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 63a5b3b0a24fe57b009e0964775c5f44 |
| SHA1 | 605719c673241a1433d9895668ede64d78546c2c |
| SHA256 | 412ab92e233a436d0d9d0c912141d5b90ca408dd931c658c912e62b4841ff86b |
| SHA512 | 04af7f80ffb1995b2f056bdfb1121b79db553ed95ca40bd92134d3d0e48057913f4a900fb44ac22038605e23b23ea57d680ab8ef36f6d7539b4bc4ebc9263924 |