Analysis Overview
SHA256
ce0887dd0e8799ed78a8276284e4de13bc343335030c5930915499c3ff6e7ca9
Threat Level: Known bad
The file ce0887dd0e8799ed78a8276284e4de13bc343335030c5930915499c3ff6e7ca9 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 17:28
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 17:28
Reported
2024-06-10 17:31
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce0887dd0e8799ed78a8276284e4de13bc343335030c5930915499c3ff6e7ca9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce0887dd0e8799ed78a8276284e4de13bc343335030c5930915499c3ff6e7ca9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce0887dd0e8799ed78a8276284e4de13bc343335030c5930915499c3ff6e7ca9.exe
"C:\Users\Admin\AppData\Local\Temp\ce0887dd0e8799ed78a8276284e4de13bc343335030c5930915499c3ff6e7ca9.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/3016-1-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 25c836f6aea0dde4bae0278a3416e0a0 |
| SHA1 | 64e0022d06749c9d2685c206b90c0b898ed5c962 |
| SHA256 | 9ed946a89378df5451f693c91e0da0be432cc895f7b1aa18e88d50f6f11d4df0 |
| SHA512 | 1c244824b151dce6e1b7f7948dcc04aa5551108bfd68686ce5fa6d20402bd86434295cb41f5af53dacca9d192a3bd47a1fcc4035cbb43290973016e6baf3c516 |
memory/2488-9-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2488-11-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 64ba30f4787ba73edfc1b1696e65491a |
| SHA1 | 5e2d74158feed7c27c32761026ff72bace997035 |
| SHA256 | 53b2233df4db42720ac084bd6d5c67bf581a69851358d0e499950bfeb5390192 |
| SHA512 | df5025b391ec765659903828c2cefdd8ec7a64cbb7708b10c05f46bbd28aaeaa8a218db2fe53ddd49ca3615660348147992413cd0942cac9fd9d235e5c596f86 |
memory/2488-14-0x00000000005A0000-0x00000000005CA000-memory.dmp
memory/2488-21-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1292-22-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1af52f6087bbba2d3c39569663c6d1b8 |
| SHA1 | 0e04db7070984e2666640882270455666d5c1375 |
| SHA256 | 8a5004a9063be61353585d810de1baa1877267ba48890de4dff851f49c451d12 |
| SHA512 | dfc1e88245a69cdb70d7aa3b72e04e0711539a660e594bb67ef43740013fa1854ca6f39288497626e002ca2fd748b7aa9859c879dfdbb5e3e457beb3941a5685 |
memory/1292-27-0x00000000002A0000-0x00000000002CA000-memory.dmp
memory/2492-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1292-33-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2492-36-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 17:28
Reported
2024-06-10 17:31
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce0887dd0e8799ed78a8276284e4de13bc343335030c5930915499c3ff6e7ca9.exe
"C:\Users\Admin\AppData\Local\Temp\ce0887dd0e8799ed78a8276284e4de13bc343335030c5930915499c3ff6e7ca9.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4796-1-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 25c836f6aea0dde4bae0278a3416e0a0 |
| SHA1 | 64e0022d06749c9d2685c206b90c0b898ed5c962 |
| SHA256 | 9ed946a89378df5451f693c91e0da0be432cc895f7b1aa18e88d50f6f11d4df0 |
| SHA512 | 1c244824b151dce6e1b7f7948dcc04aa5551108bfd68686ce5fa6d20402bd86434295cb41f5af53dacca9d192a3bd47a1fcc4035cbb43290973016e6baf3c516 |
memory/3956-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3956-6-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 349be8d221c49c1bcef7f8b9ce344476 |
| SHA1 | 69e78dd23a1c026ceea6a628cc2a7ae6252120bb |
| SHA256 | dbbc6d793f2dc8fd25846db08c07f096aa8588af2c303464b2641028450891e8 |
| SHA512 | 299b4d3cf848bc336257ee295e4e050bc9cfbc155d5027b36d8cfc0ff0a32adc84e27128c618cd6d4e44062fc70795052c2c8b54f763309f3d18fabfa043de0e |
memory/3956-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3960-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3960-16-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3350bbe4595646095a831cce0c53860b |
| SHA1 | e8bf5d6866d1c6430b21a1eea24ad1e38b12385e |
| SHA256 | 24897d41b45727101180832e6b44815c8c69b42cc9af66d7f9c6b38a8faa24a3 |
| SHA512 | b874e6cb3cfd0d3d3d165407610ef530aedbff515dcb0dbfffa044a53c8e9d277f792ac944f049963d4f620cbe2db588eb6a908801f09eb88b9ba5ccaa41b04a |
memory/3376-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3376-19-0x0000000000400000-0x000000000042A000-memory.dmp