Analysis Overview
SHA256
bfe474307282d9e1a884ead566c454d198ab980c74cd2f51cb03ac0b7a7102e1
Threat Level: Known bad
The file bfe474307282d9e1a884ead566c454d198ab980c74cd2f51cb03ac0b7a7102e1 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 16:44
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 16:44
Reported
2024-06-10 16:46
Platform
win7-20240220-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfe474307282d9e1a884ead566c454d198ab980c74cd2f51cb03ac0b7a7102e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfe474307282d9e1a884ead566c454d198ab980c74cd2f51cb03ac0b7a7102e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfe474307282d9e1a884ead566c454d198ab980c74cd2f51cb03ac0b7a7102e1.exe
"C:\Users\Admin\AppData\Local\Temp\bfe474307282d9e1a884ead566c454d198ab980c74cd2f51cb03ac0b7a7102e1.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 925dd40697fc369fef7396edef28ab3d |
| SHA1 | 950bbb6b47abd4610ec7636d6b144afc3c2a821a |
| SHA256 | ac3430ffff6deeb002882a640b53e23c2e4d7d42fc6eb6e5b2a47fa755a4ef4d |
| SHA512 | f79b90d6288fb9ac1e53a7402b850e88deb9e68113f3d86124f664f4f7cd2bfb0d9a75f419d23ee72f29666d6139bbda8308a0be6ab7ddf61a23c47732f741f3 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 6cc93ca1a46454c5628cd1376d7e503b |
| SHA1 | eae64270adf2fd90fa8daf21d9894c874f64d102 |
| SHA256 | 2429b8feace66fc68ba4adada06a1a1484101652c64332aa80418e07db027851 |
| SHA512 | 241d3fafb9944bb3a7f3e4a659aec2250a05e364ebed58d42d652195d2c73203b26a0fcf601a85080d8e821993f1a943816d666748e7272df83952d21d2c5619 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 949ffc28986532c79f8f6c04248ed615 |
| SHA1 | e83d89483b9c619319f8ed24f28976487d324421 |
| SHA256 | 9931d50dc1ee0b351369032457141403bafacc56ae6df9bb6f3bbb52e1ef2e67 |
| SHA512 | 0df8b4711ed60aed43f047558387f3e2a91ec07414f66c2ad173b4b252fe8cb87ad98fc6e21bd996e5de5e6032be48bfa39fd7e985083e956ef9c8dad654b8ef |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 16:44
Reported
2024-06-10 16:46
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfe474307282d9e1a884ead566c454d198ab980c74cd2f51cb03ac0b7a7102e1.exe
"C:\Users\Admin\AppData\Local\Temp\bfe474307282d9e1a884ead566c454d198ab980c74cd2f51cb03ac0b7a7102e1.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 925dd40697fc369fef7396edef28ab3d |
| SHA1 | 950bbb6b47abd4610ec7636d6b144afc3c2a821a |
| SHA256 | ac3430ffff6deeb002882a640b53e23c2e4d7d42fc6eb6e5b2a47fa755a4ef4d |
| SHA512 | f79b90d6288fb9ac1e53a7402b850e88deb9e68113f3d86124f664f4f7cd2bfb0d9a75f419d23ee72f29666d6139bbda8308a0be6ab7ddf61a23c47732f741f3 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5d70aa5967b1b600728d7087fd44e9d0 |
| SHA1 | 105253aa709812257e872db7cf78628c646d27e0 |
| SHA256 | fd2335b87c18ae184c4ed5927ae9a32b406ddc281e1910187bddb5e7b4343358 |
| SHA512 | 03737e73e617796f737ab59ce4bd6741ba63887bb2c069d28782d687849d2ee97bc6a25c1f2afbfaa28e422725661fa07c00f859188f80c357ae984523d7c946 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 59dc3be98c8a67f568a7de977aee169b |
| SHA1 | 611902e38f820b8c2708c5ce6e9a19c88c6a03fb |
| SHA256 | daed7be245cecbed988c59666847750ae36655388480a04551cf626363a048ed |
| SHA512 | f816fcbb5847588c258261e6fe1476b4b1b968de69cc1ab4bd0cddfdfd577834fecea0843888054da924aebfd114006c48425d0fb39eed974dfe37ba9d6ef473 |