Analysis Overview
SHA256
994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62
Threat Level: Known bad
The file 994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 15:09
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 15:09
Reported
2024-06-10 15:11
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2212 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2212 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1284 wrote to memory of 4732 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1284 wrote to memory of 4732 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1284 wrote to memory of 4732 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe
"C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/2212-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dfd5a01900d5beaff3aa658fa4d382d9 |
| SHA1 | dfcf956117f53dd74ad10336466ef3213f60ffbf |
| SHA256 | fd2efbfbfd2a68b0acba79db89acda2ffaffa7dfbe2ff2ef10707cfe28479c5d |
| SHA512 | 95fee01856e5541acf929e2d0be371d1c9f2542d06f2f813b659ddb667df49cffee08afd45d982653f8993be3985cc844e40170a82efb87b2b2c46f6578fba7d |
memory/1284-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2212-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1284-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 6b07252adb82acb28dc6dc778f51b145 |
| SHA1 | 377f4b89b78a85e9e1cd6d01631e77ac608fc212 |
| SHA256 | 4425966154d590a8e3ecf73579f3a096da54d9b421d5211d88277270ef54f737 |
| SHA512 | 74930807f5fa0ffa4dd91c947bb406225650378ba6a80035f065387b324a986789a7f0bb6e66ddf8dc1a219b8f25d2a12cb999f080d185e81d34dda1822b919b |
memory/4732-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1284-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4732-14-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 15:09
Reported
2024-06-10 15:11
Platform
win7-20240215-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe
"C:\Users\Admin\AppData\Local\Temp\994c0c49b99e872431a75492102bfccae27152f853c79bbfc4620b5e7bd74d62.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1680-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1680-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2740-10-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dfd5a01900d5beaff3aa658fa4d382d9 |
| SHA1 | dfcf956117f53dd74ad10336466ef3213f60ffbf |
| SHA256 | fd2efbfbfd2a68b0acba79db89acda2ffaffa7dfbe2ff2ef10707cfe28479c5d |
| SHA512 | 95fee01856e5541acf929e2d0be371d1c9f2542d06f2f813b659ddb667df49cffee08afd45d982653f8993be3985cc844e40170a82efb87b2b2c46f6578fba7d |
memory/2740-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 21e6021c405a83822b5e1468ba9f57d1 |
| SHA1 | c5f0d646c877e7eb9e6f0eaec27853e8db0b3668 |
| SHA256 | b1900524fada6549366ad60e2e9c9f03a372e63516e274dcc8d08659f3aa10bf |
| SHA512 | c16a3bc2a33b8ba57f346d55af57b73e598a691008b6717ebf9c99ff0eaf151b717a280e53c51daed5e360afee0fcb5b62953589110ed0be6bebf1b74b4f9bc0 |
memory/2740-17-0x00000000003B0000-0x00000000003DB000-memory.dmp
memory/2740-24-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0194ae52d32908cad0cd48b53843b152 |
| SHA1 | 9c91614a9b5cdf1700864f86323209876cef5695 |
| SHA256 | f5f4c33bb0f2acadf13bb02566b78f0e409210beabfe1274a5d73644bc3d012c |
| SHA512 | 3d066cfd270fda839283ee1db1bed4689e1d767d642ebbfd3c47161658e6c55cea516b182fa9abac2a2d01fb5db88443149874f89b24f748dbb42c659edc7f5d |
memory/320-29-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2304-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2304-37-0x0000000000400000-0x000000000042B000-memory.dmp