Analysis Overview
SHA256
4c036cd343c87858695fb6b0a40afaeaef5cd750f3d4a020ab41993df96d3f89
Threat Level: Known bad
The file 4c036cd343c87858695fb6b0a40afaeaef5cd750f3d4a020ab41993df96d3f89 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 11:56
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 11:56
Reported
2024-06-10 11:59
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4c036cd343c87858695fb6b0a40afaeaef5cd750f3d4a020ab41993df96d3f89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4c036cd343c87858695fb6b0a40afaeaef5cd750f3d4a020ab41993df96d3f89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4c036cd343c87858695fb6b0a40afaeaef5cd750f3d4a020ab41993df96d3f89.exe
"C:\Users\Admin\AppData\Local\Temp\4c036cd343c87858695fb6b0a40afaeaef5cd750f3d4a020ab41993df96d3f89.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 23529aeb794f608a82b4a5c249feacfa |
| SHA1 | 5673c90225ccc2969a3b8f5a4ca8665632a87577 |
| SHA256 | 9c4542b5300e8282fee967f64ccb9ec68c2138a6d51aa303b79bd67e8bc7afbd |
| SHA512 | 4c24e4167c2a3ce850e1473ec1ce456184955cf185cd57d69af27788eae0c86f1e174b1d1fdfbbb40311e80a40c81805c8a69e6d9063cf1f512e89dba2e656b3 |
\Windows\SysWOW64\omsecor.exe
| MD5 | d3c06105e949897702726851a9f0b690 |
| SHA1 | 5d78225aed5774762680d108a10e8af55561f336 |
| SHA256 | 568a0ff95f9b45bc2653fbfcf9ec483b49100f583314a61fb9da7dbe59c53c6d |
| SHA512 | 4d8c5c8a9ff85f17a532ee697c4da534c299f183c68c0e2ead8cae0f1633b2c75105de5b6686e8c40b9ece1bf1e3b7795320551c98bd3365a76717a4d67af195 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f81386a61cd21f97ac5e4593484f2f77 |
| SHA1 | 3d56b8c3fbfd1e4b1ffac5383e433cea7cde89ba |
| SHA256 | f6061208f9624f5d53d885a816235a3841500ffa924b40456e2eba138afba002 |
| SHA512 | 3a0fb3245139a39dec5702be39c8979108c3054726ad9ffeb840b30c0672870df56e0156525a2626d018aadb29bffb51498cf24ea5c462feefd2f8c148abda96 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 11:56
Reported
2024-06-10 11:59
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4c036cd343c87858695fb6b0a40afaeaef5cd750f3d4a020ab41993df96d3f89.exe
"C:\Users\Admin\AppData\Local\Temp\4c036cd343c87858695fb6b0a40afaeaef5cd750f3d4a020ab41993df96d3f89.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 23529aeb794f608a82b4a5c249feacfa |
| SHA1 | 5673c90225ccc2969a3b8f5a4ca8665632a87577 |
| SHA256 | 9c4542b5300e8282fee967f64ccb9ec68c2138a6d51aa303b79bd67e8bc7afbd |
| SHA512 | 4c24e4167c2a3ce850e1473ec1ce456184955cf185cd57d69af27788eae0c86f1e174b1d1fdfbbb40311e80a40c81805c8a69e6d9063cf1f512e89dba2e656b3 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ffb5b76bb7be51137e1f42a6e9d7bdd1 |
| SHA1 | 022bc0cd286a24919b5506ebad8abaae74417258 |
| SHA256 | 59887f5ee97d5c37c736ad271986c4ad53a6305158ac9a99a9bb9028716ae907 |
| SHA512 | db0dc270e9c7e863ab45676607d3b308d79d22a342f00bbe58fe625551cd728cef628f018496dcd2d1d3f9b74bc0282440759b1c32f5f678a0d3ce064b602c91 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6598882eec42c637d140f8c31022731d |
| SHA1 | 26591673b00b51e5e59e2c2274f23d735bc7b525 |
| SHA256 | d7a2eba1f17be76dbaa0684b847cd0cfc5fd04451204f87fc3f161030dc8956d |
| SHA512 | 64f3a22eda964e1e644f429ebcb43dfcc1ee001618d900bb3fab2d9c31683e9178a4bec04e8458c50f27db787f2a37b51ba562f6d1a240ae392e92855d35aefa |