Analysis Overview
SHA256
d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123
Threat Level: Known bad
The file d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 17:54
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 17:54
Reported
2024-06-10 17:56
Platform
win7-20240508-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe
"C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2236-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e57bb9933d31e6cd145e2efbbcf8f146 |
| SHA1 | 5e741000a8ad1a57a24d9560e76744ebdca7f465 |
| SHA256 | c8b55750702b13b0c3a45ca3092066cdb055ade9a38e2b49190c2f3845ffd321 |
| SHA512 | de1e68349318d709729691bd5f29a103d64c981c406e7d8c78f34a680a28f98f6b5a6bfdc7299b2df95fbd2fe0abd108f4ec7727109482d6637f3af35085564a |
memory/2236-9-0x00000000002A0000-0x00000000002CB000-memory.dmp
memory/2236-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2068-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2236-13-0x00000000002A0000-0x00000000002CB000-memory.dmp
memory/2068-14-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 97c946d55148324cb7225eb2eb75afc1 |
| SHA1 | b0398f17ec74cff0c4952ec5b341fb4a9d0769dd |
| SHA256 | 9ff58d7fb6f3ed482074b8778ae688ae018b40c881b9ed362fd99993d60280a2 |
| SHA512 | 006556fe040490caa6896012dde447e53d2064a41e8d5b2538c74ec2c0c89abb3e66d234d79b00eb9e9ff946b3b0c1526362abd3895551f4bbe9f52bf352d9aa |
memory/2068-17-0x00000000002E0000-0x000000000030B000-memory.dmp
memory/2068-23-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1928-35-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0e3a2df1ee99b5ebbb2cf608f45e051a |
| SHA1 | 28cb84e0277c7d949804d7f04f628053b0c5a981 |
| SHA256 | f2920489b491a9606319e89837784974e346748fe418886810308bc021ff6030 |
| SHA512 | b630115e318a8fb4d11cc25a8fbd93b39cbe2509917809ddf2ca9aa66bcbfbe8d5cd6ef6a4190972cf8f25d91fa9068753caef482e7512e0c26264efbbe7a49a |
memory/1672-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1928-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 17:54
Reported
2024-06-10 17:57
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 868 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 868 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 868 wrote to memory of 1736 | N/A | C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1736 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1736 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1736 wrote to memory of 1980 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe
"C:\Users\Admin\AppData\Local\Temp\d570de91f8429cec196fcfdef80d2d2d95bb09b7fa7f4191503e9b3de31d8123.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/868-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e57bb9933d31e6cd145e2efbbcf8f146 |
| SHA1 | 5e741000a8ad1a57a24d9560e76744ebdca7f465 |
| SHA256 | c8b55750702b13b0c3a45ca3092066cdb055ade9a38e2b49190c2f3845ffd321 |
| SHA512 | de1e68349318d709729691bd5f29a103d64c981c406e7d8c78f34a680a28f98f6b5a6bfdc7299b2df95fbd2fe0abd108f4ec7727109482d6637f3af35085564a |
memory/868-3-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1736-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1736-7-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1736-11-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | be62b76f4e38d89ba617dbbdab7494c0 |
| SHA1 | 7772876ee6542fa7c9ff7957598adf755e2ed724 |
| SHA256 | 2ab1ca115febf01bf6f8cb2962a9eaa38da827b6053f72dae627105403f44238 |
| SHA512 | bdaf6de63612085ec8fc20528558283118e813bb2d18472fdce4d165df26a9d8ef59075d1f8c48d6869864fa57170e79e592303d890e5bcd2b102559c25b699c |
memory/1980-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1980-14-0x0000000000400000-0x000000000042B000-memory.dmp