Analysis Overview
SHA256
01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1
Threat Level: Known bad
The file 01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 18:09
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 18:09
Reported
2024-06-10 18:12
Platform
win7-20240221-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe
"C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6704d86a03d04f57b0c1aa641f23ffae |
| SHA1 | 68d109f2da80a57996dc36cef6431ae42d228548 |
| SHA256 | 34e9a7a206cfac0fa68478b940a0f07a51fbd06465454e63e46cb248d8decde2 |
| SHA512 | c88e13f964e839d0fe7f072647bf5fea1d9ec32081fca1fd888e1c2515fc6ed3bfb3644d732dd768b7cb03d02ca263d68a6ad6ce5b946d55c7d322748aa1777e |
\Windows\SysWOW64\omsecor.exe
| MD5 | a62d4bce1c0400e7b43f053db4c33b58 |
| SHA1 | 8c0f30cc8619d67285088cea81ffae222ad275f8 |
| SHA256 | 48185848f79cb5bba2001cc9c049eda951ece9ee5986ee27bd2f5d93da067de5 |
| SHA512 | 343dc322597b75b7b0fd46efb1369a5a84a64f5a8796b42cc4900c7572fba335cf19e6f53905d093fb7e9c4c6ed76db307f7841a819063cc28136bf96595f423 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c01c828259776b067fb55c6a56b5c58f |
| SHA1 | de228c87429e7682fc63348550a9102f123589b2 |
| SHA256 | f2d3b5ce61049a260a4313207b9aa18620e7ac332a9bba23acaff938a74c07b2 |
| SHA512 | 9a9544459ba4842ae5e2dc271ff03fe74f77478819543dfd798bc03b9c4b6a0350595a16648b476ee704043c8b5c6e403885d611aee6b39108d49b661378a217 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 18:09
Reported
2024-06-10 18:12
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2928 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2928 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2928 wrote to memory of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3684 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3684 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3684 wrote to memory of 2932 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe
"C:\Users\Admin\AppData\Local\Temp\01e59adf9b0cc4aa37359e6a0600751cacede3216a6e1bdcee24665294425bf1.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6704d86a03d04f57b0c1aa641f23ffae |
| SHA1 | 68d109f2da80a57996dc36cef6431ae42d228548 |
| SHA256 | 34e9a7a206cfac0fa68478b940a0f07a51fbd06465454e63e46cb248d8decde2 |
| SHA512 | c88e13f964e839d0fe7f072647bf5fea1d9ec32081fca1fd888e1c2515fc6ed3bfb3644d732dd768b7cb03d02ca263d68a6ad6ce5b946d55c7d322748aa1777e |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | e46aeaecc774a259646c4b2003db67ad |
| SHA1 | fac0d572b5dd8fa8e65c1b7345bf8a436d5ce026 |
| SHA256 | 09282d5e7daedb456f11d55e3b21351b8a660317ed3b0cb2eb71257031fdcd8e |
| SHA512 | 62c46fd552589780094ab6166987b18c9914aadf5fb5d13ccda9bfe8664eed215e0657005c01dd8a27c363a6a563487a914b4262608f4332f7d9a4e8fe9b12cc |