Analysis Overview
SHA256
57b5e6517c83528b9409b2a901754f00a72315d40905bf84b51ed65bfbd84422
Threat Level: Known bad
The file 57b5e6517c83528b9409b2a901754f00a72315d40905bf84b51ed65bfbd84422 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 12:22
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 12:22
Reported
2024-06-10 12:25
Platform
win7-20240508-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57b5e6517c83528b9409b2a901754f00a72315d40905bf84b51ed65bfbd84422.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57b5e6517c83528b9409b2a901754f00a72315d40905bf84b51ed65bfbd84422.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57b5e6517c83528b9409b2a901754f00a72315d40905bf84b51ed65bfbd84422.exe
"C:\Users\Admin\AppData\Local\Temp\57b5e6517c83528b9409b2a901754f00a72315d40905bf84b51ed65bfbd84422.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2848-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 357347451a957aac0f834665521b215b |
| SHA1 | 7598305ebff1d193baa55eaa87e7c13ed71aa4b9 |
| SHA256 | 932f73329696afe721b20488e4abfedf5bce1a89f2d371b6f9bdfc52abd0f95f |
| SHA512 | 24185f394da1e3a462f082f0a6e896fdd1acb4718b382e69dd0f85808f0d7b671fe18f28f85753448e99ee14d9315652314a44a456750b2f8698e4134e3f603e |
memory/1704-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2848-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1704-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1704-15-0x00000000020F0000-0x000000000211A000-memory.dmp
memory/1704-21-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2428-25-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 11bd97bcce3c69d3aa107531ccb45e6a |
| SHA1 | 3a80b9b7afcce3c7b6e990c1b9843060de1aca6f |
| SHA256 | e9702cb09e36faa58cefe1d7f1f348d185f2fe2f6e45837afe7f54ced916eed3 |
| SHA512 | 90b00a7a0221947b1e44c042ea75be5e60c8311720649f8b257085112b31b6e5752337853ba0d0fb25e8087a0014156ed4aefa34dde30ebbe148b694c35e7bd5 |
memory/1616-33-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1616-35-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 12:22
Reported
2024-06-10 12:25
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57b5e6517c83528b9409b2a901754f00a72315d40905bf84b51ed65bfbd84422.exe
"C:\Users\Admin\AppData\Local\Temp\57b5e6517c83528b9409b2a901754f00a72315d40905bf84b51ed65bfbd84422.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1272,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4224 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4808-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 357347451a957aac0f834665521b215b |
| SHA1 | 7598305ebff1d193baa55eaa87e7c13ed71aa4b9 |
| SHA256 | 932f73329696afe721b20488e4abfedf5bce1a89f2d371b6f9bdfc52abd0f95f |
| SHA512 | 24185f394da1e3a462f082f0a6e896fdd1acb4718b382e69dd0f85808f0d7b671fe18f28f85753448e99ee14d9315652314a44a456750b2f8698e4134e3f603e |
memory/4808-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5096-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5096-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 90b1ecb5105e403c7377c02dbddf3ebe |
| SHA1 | f17efa661854a9381e253bdece0cebd0871afaaa |
| SHA256 | d072f990d0159f1eb7bde029d245f3c69edceb1bc394ea316218c124a06deccd |
| SHA512 | 417194e8700fe735a4f21af9c6ea2710b458796d773ab5bf6e913a952a4cd67a3e79c84f861dad7920d5ff19c9250cf0f524ca3111d428720459df702529eb74 |
memory/5096-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/920-13-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 35a39209def7ee16df4e7a6cfc3c8f1c |
| SHA1 | 8d74d440d20ccc816d740ece0e5001f0f9d7b74d |
| SHA256 | 3f3194599abd2819cdef74950b8e077607cd009e69090985ef769d3145e9c01a |
| SHA512 | 5fb3a40c2d22f18521061d3870a3b14b141ae111d00cfb5feceadc48146e628232406922c6037edfaa60ed837c9deb78ae6e84ce0d7db5b0906275c6d2c08782 |
memory/920-17-0x0000000000400000-0x000000000042A000-memory.dmp
memory/396-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/396-20-0x0000000000400000-0x000000000042A000-memory.dmp