Analysis Overview
SHA256
0b819215f9d3f2b11eda97811ddf7e2ac344dabe7773f4427409bca8c9c75168
Threat Level: Known bad
The file 0b819215f9d3f2b11eda97811ddf7e2ac344dabe7773f4427409bca8c9c75168 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 18:43
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 18:43
Reported
2024-06-10 18:46
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b819215f9d3f2b11eda97811ddf7e2ac344dabe7773f4427409bca8c9c75168.exe
"C:\Users\Admin\AppData\Local\Temp\0b819215f9d3f2b11eda97811ddf7e2ac344dabe7773f4427409bca8c9c75168.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6a69bad9c4cb767f46effab75a5a220f |
| SHA1 | 31947098758bda938cb8a3fcd94aa5a4222c998a |
| SHA256 | 82c7b0a7128be0baacaf0dfe1f238edd051b9992ebf6d9458feda31a9a1a413f |
| SHA512 | 0035ebf1fe47164275ed39922a2e313a6d9a8044ff2e197e56caf0fc3a20fa9feaf78dc8e41933f776e2bb233321f714f91d973f1b26b4ba404fc93b2cc7c8f0 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 15f3778478205aab739ccb6256522bdf |
| SHA1 | f293c8b08244a7690cbf33c6d962533e51337e06 |
| SHA256 | 87733cfc177167398587046d923c7aac6f5231ad71e4749a2be39dded44043c6 |
| SHA512 | 356257e4e71be9735ff80f292c0b3cfd6b4459b8ac5ee291aeb7d63c5ef0dc7775090add8653951306090557e11cd7198d1ca8eb0ac6c81c46a782581a7c7d4c |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f74ec1d22b4279551a0c42884058fc99 |
| SHA1 | 4b82a823e0aecf0eefdb0b78279b8f097047d285 |
| SHA256 | 8490ac2e65155e5b95d55427314adbe4179765627b790fdc2696bf6311613d0c |
| SHA512 | 50fd9381eafd4589ccb5690471c06ed7c1d604452884bd67c3ba9fd0276dec848a724f6f3922cc47fc9afb473aeeb0bfd7282eb7b4e143731b4021972dc51612 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 18:43
Reported
2024-06-10 18:46
Platform
win7-20240215-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b819215f9d3f2b11eda97811ddf7e2ac344dabe7773f4427409bca8c9c75168.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b819215f9d3f2b11eda97811ddf7e2ac344dabe7773f4427409bca8c9c75168.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b819215f9d3f2b11eda97811ddf7e2ac344dabe7773f4427409bca8c9c75168.exe
"C:\Users\Admin\AppData\Local\Temp\0b819215f9d3f2b11eda97811ddf7e2ac344dabe7773f4427409bca8c9c75168.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6a69bad9c4cb767f46effab75a5a220f |
| SHA1 | 31947098758bda938cb8a3fcd94aa5a4222c998a |
| SHA256 | 82c7b0a7128be0baacaf0dfe1f238edd051b9992ebf6d9458feda31a9a1a413f |
| SHA512 | 0035ebf1fe47164275ed39922a2e313a6d9a8044ff2e197e56caf0fc3a20fa9feaf78dc8e41933f776e2bb233321f714f91d973f1b26b4ba404fc93b2cc7c8f0 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 3592eb284c635fc18a8a1f163594e90e |
| SHA1 | e42399a58454e410055ce08409bb335ce4abf3be |
| SHA256 | a80f89ddd2ba8176e1249cd5a7eac71ceff7a4fed97d31eea9886754cd4ef3b6 |
| SHA512 | cff184da7fedfd9b1bba33207cb1bd3374dc5f2f43d27034d051ecd1893f43d7aaf886070d52fef8d651e31faf74bf837091fe4a3b3d7bfbaddedd6678d07169 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5228faaf15e90b1f6465894bc57c6c90 |
| SHA1 | 9fa693eaa31b3cbafd0c86a0d23f078b1a17cd4c |
| SHA256 | f993a232da52f9aae910a41363c86cc56a5103da922ddf7c7749938c05f99178 |
| SHA512 | de721fecebbddea52095e60cb9f53ba8793f8ed9ca9d184b3a4172e1c7de2abb736d62645607e9766341d42ce820c85e33b8c5e92a7c9728ab2d18edd4ae720d |