Analysis Overview
SHA256
f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a
Threat Level: Known bad
The file f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 19:33
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 19:33
Reported
2024-06-10 19:35
Platform
win7-20240221-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe
"C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3dc194fb84c29abbd5632bd808c8035d |
| SHA1 | 05829f5941df78d48aeaa36af54e1b55813ed996 |
| SHA256 | 528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356 |
| SHA512 | ae94c0bedad38d6844530d4d61a0d76bf42a07c7d2bc38a132db4eb3e74329e1c59562937ee6f5ac9f6b57df65f8490eb669bc2ea1bd6739b04b6c8fc9888202 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 51a15bf3b3a92482c908fd101cbc8808 |
| SHA1 | 6e24386f9ee8e6302d680f766d4a268fb00f0f6e |
| SHA256 | bbe71526b6eeb4d787d0e9cbbc7aee3b283a4c573e6aa3902ae0e2d1cb17d9cd |
| SHA512 | 75f43aeff6ef10e7d7beacfc406b590ce1b16ac7191b9a60bf541d1bed9eacc9e55b1a6ee3c17a680b1e79997a3ee5c8c52edabd09783ff9a1275445de1a1e26 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 19:33
Reported
2024-06-10 19:35
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1184 wrote to memory of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1184 wrote to memory of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1184 wrote to memory of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4344 wrote to memory of 3116 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4344 wrote to memory of 3116 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4344 wrote to memory of 3116 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe
"C:\Users\Admin\AppData\Local\Temp\f84de2d55b3298d90724e7c85214617d8171ce32fbe1233af278d0643cccc62a.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3dc194fb84c29abbd5632bd808c8035d |
| SHA1 | 05829f5941df78d48aeaa36af54e1b55813ed996 |
| SHA256 | 528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356 |
| SHA512 | ae94c0bedad38d6844530d4d61a0d76bf42a07c7d2bc38a132db4eb3e74329e1c59562937ee6f5ac9f6b57df65f8490eb669bc2ea1bd6739b04b6c8fc9888202 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b9ce817b120e883c5b1ba45a99d35933 |
| SHA1 | 98a921d5873513aa76edcf3e86c7e8df1e8ae622 |
| SHA256 | f915a41e5e9ad1f6deefd9fab0d1de5afc53e83715324901475fec226ec3595b |
| SHA512 | 8d64a03cb844e1eef89ec4e89eb9e510f43795da1cb162d6a637d943c31515436ea7e4df20592e2ba88268a29f205d1e9f55534beafef6ad68ba8fd64deb13b8 |