Analysis Overview
SHA256
92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe
Threat Level: Known bad
The file 92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 14:49
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 14:49
Reported
2024-06-10 14:51
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe
"C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 51d8ac7adbff4cf0e750e180af81a3fb |
| SHA1 | 10944f05df304ca11fd4d927afa38602487e5d33 |
| SHA256 | eadd77b2cc201e68c223ccfae7c8135145ea4f2f6a0e1ec78f25d072dbf8db8d |
| SHA512 | 4616b54242e7b6500ffb0228a4d30ce1ce69af0816d1631bb0ebd9c68dbdd1f1c43a3ff68d39e03cd87684eccf9c1c4bbf9b6f15143a387bf51f40dcc544c1c6 |
\Windows\SysWOW64\omsecor.exe
| MD5 | af1e713f2c05196fc1a2b827e0d20a1c |
| SHA1 | 005e336ee6061ade4601a12f2d2706fd2ceac1b8 |
| SHA256 | e465a0dea62cc043793fc73b1f9745376ab1cf82846f34b7e7fc62053a2e9344 |
| SHA512 | 406f8e20e859a65d2ec0b5ce41d1ea9fbe6f64c67f416ea2920f7492c4141ffc2cf0bb14f043e0eab2ee4f833a41c8bf4cb8c8cb798eb7f8db14cc4be81cd908 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f4721ae8c50db50c6bea11bce46a8fa6 |
| SHA1 | 64779dbf13fb5e7ffb72fe9e47c635348c3a3bb1 |
| SHA256 | b692e8646dd8812d783fd27255b0c0e137e1c2dc1f03c8b8591a86434e89c0a1 |
| SHA512 | 4cba75686d5404daa5b3da60ed4c4b5c81bacbdaa9380d928f91a856c3c06cbd2fa9c252c3c7bda6128819bfd246228159d084b1d51eee8e6a40e071a8c7deb4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 14:49
Reported
2024-06-10 14:51
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1432 wrote to memory of 3832 | N/A | C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1432 wrote to memory of 3832 | N/A | C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1432 wrote to memory of 3832 | N/A | C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3832 wrote to memory of 4904 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3832 wrote to memory of 4904 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3832 wrote to memory of 4904 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe
"C:\Users\Admin\AppData\Local\Temp\92448ed7293d9b9d220cbea208bfb3c01135effdf5d70a221a0341032c3985fe.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 192.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 51d8ac7adbff4cf0e750e180af81a3fb |
| SHA1 | 10944f05df304ca11fd4d927afa38602487e5d33 |
| SHA256 | eadd77b2cc201e68c223ccfae7c8135145ea4f2f6a0e1ec78f25d072dbf8db8d |
| SHA512 | 4616b54242e7b6500ffb0228a4d30ce1ce69af0816d1631bb0ebd9c68dbdd1f1c43a3ff68d39e03cd87684eccf9c1c4bbf9b6f15143a387bf51f40dcc544c1c6 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 869f51af3219f4579635d819c7b732b5 |
| SHA1 | 8df295f91d28de4957e28a47c305d353a9d86cfe |
| SHA256 | f141735c5dd5b18df44a433d62c59807294be6ca877c8310f3cbc7940251bbcb |
| SHA512 | 35760827d722a2858439c3e70e53fca36fac9f66a7f33528e53959f89b4db49fd3294be15d4e1420ed9f8177e01131329d7b5b4ebfb6be164a681d8d310bb247 |