Analysis Overview
SHA256
9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2
Threat Level: Known bad
The file 9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 15:21
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 15:21
Reported
2024-06-10 15:23
Platform
win7-20240221-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe
"C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2240-1-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 58e01bfc03818031d0271bdb7fe809f0 |
| SHA1 | 5743d43a2568a37d7cc92313755fa539992db91d |
| SHA256 | 01a4e5ecca0621a1e8e3dfe028dd808259b75b2a10879a739e3508f67dbd4894 |
| SHA512 | 6882f74757932669e8e4a550cc4ee012463c599da044d71a48dc23c43f33335996bf7e5c50b2b93e596efa34b1c8afcfc755481a0c510948b6f6676cdf628373 |
memory/2240-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2688-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2688-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 968097ef336c8efd636473eb0b03a25b |
| SHA1 | 885b7db50b585e9ad164cc98dbc8241658955a6c |
| SHA256 | b7bb00faaf12d6900f60c932799b5d596bf0008a13c53de530b868e22f264038 |
| SHA512 | 1889541214218392809d1035f304240b01929a1059e9966080220fea6139c922a16bef1c3eb735b84aea47f6a99094e09de92bfee88937e519017e3e45e94025 |
memory/2688-17-0x0000000000430000-0x000000000045B000-memory.dmp
memory/2688-23-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 82ab367c512a5939cdfbd2433f37531c |
| SHA1 | fbb2c39e3a057d964baf2e80eee41f90c6ec50fa |
| SHA256 | 592a9de46892cc3ac6887b6dcf8cf0674234b8f268f890859b38bbe78076434f |
| SHA512 | 13eba8f93323a09d9b90ce92e4194c644cefa485de283ab1d58a604ba64ace414ec1cbc66a5fe4d9c756c987f0edfa0b2b564e272c560ab2b8183def55af294b |
memory/1240-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1912-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1240-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 15:21
Reported
2024-06-10 15:23
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2292 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2292 wrote to memory of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3940 wrote to memory of 3260 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3940 wrote to memory of 3260 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3940 wrote to memory of 3260 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe
"C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 243.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2292-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 58e01bfc03818031d0271bdb7fe809f0 |
| SHA1 | 5743d43a2568a37d7cc92313755fa539992db91d |
| SHA256 | 01a4e5ecca0621a1e8e3dfe028dd808259b75b2a10879a739e3508f67dbd4894 |
| SHA512 | 6882f74757932669e8e4a550cc4ee012463c599da044d71a48dc23c43f33335996bf7e5c50b2b93e596efa34b1c8afcfc755481a0c510948b6f6676cdf628373 |
memory/2292-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3940-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3940-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4b0d4509dec29f9e42bd9be23e3e05af |
| SHA1 | e1438f74f16d7a19010a806bbca7d47808b82473 |
| SHA256 | 170d46aeec1835f1fc9af6a8baf24a9fb1518c52bf2937e8e628dd8f6171aad6 |
| SHA512 | 78227415891324c7d8c81fd0fbe5c47fa379e54501d9e36b958218af1631009cc389be2b5d44c0a20b27fd1af252992962994fc2a8f9b0a8c8eb9862da3225ff |
memory/3260-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3940-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3260-14-0x0000000000400000-0x000000000042B000-memory.dmp