Analysis Overview
SHA256
10618e26c22a6e4b8ba8974271dba06645af0acce87d30df757d5cee6fe2e031
Threat Level: Known bad
The file 10618e26c22a6e4b8ba8974271dba06645af0acce87d30df757d5cee6fe2e031 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 18:55
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 18:55
Reported
2024-06-10 18:58
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10618e26c22a6e4b8ba8974271dba06645af0acce87d30df757d5cee6fe2e031.exe
"C:\Users\Admin\AppData\Local\Temp\10618e26c22a6e4b8ba8974271dba06645af0acce87d30df757d5cee6fe2e031.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/1732-1-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dda0b45cfd1fbc4d8ed70fd558a48b68 |
| SHA1 | 77504e67633f7c2e98c41e2d5d6c7a83f7620cc4 |
| SHA256 | e7b66598328610ab1b697fe19695c39ebea3d37817f30f1832a9087adb569593 |
| SHA512 | a110fabe45f8cb95d8e7670f92cd271faeec6fb82059904736ac7ef50ba4effad30b506557aebd816fac2d27c7ec1af7ef8bb146b6305bd26f1250756e95a050 |
memory/1384-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1732-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1384-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 616e8cfc5ac170445d67ba77c2e9601f |
| SHA1 | fb01991ebd707b5efa30ddbd83313622e15d5092 |
| SHA256 | 12d9ed02509ddcd09d6976417e1494f6de0d9b58118811dc788a5d77877df87a |
| SHA512 | 4102f8c6fdc9fa5c2586a0b28cd04a2daf1c55c6fd208e33924bf84a1fc5a389d33c8f0472158536e60ecf2c08f74d1289ad279873b635681cb329f504bfc856 |
memory/1384-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2040-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e54a4b7a44940c99d6adeab3a2975be9 |
| SHA1 | 7ccfeb80bcc7878a36513e8819ba5c016487ab8e |
| SHA256 | 9397c3c97b021930e9f7fe1dca9dc0b3fd1072ad9a899fe0133c887b2da1e890 |
| SHA512 | 60795ab2b68244b957ab665a618f9dd8395b33c87c494fb538a556a14d5c7ede902373edc3bb3c55d57355144e1137ce0215f90ea470d2667c7580effab616c7 |
memory/2040-16-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3588-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3588-20-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 18:55
Reported
2024-06-10 18:57
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10618e26c22a6e4b8ba8974271dba06645af0acce87d30df757d5cee6fe2e031.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10618e26c22a6e4b8ba8974271dba06645af0acce87d30df757d5cee6fe2e031.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10618e26c22a6e4b8ba8974271dba06645af0acce87d30df757d5cee6fe2e031.exe
"C:\Users\Admin\AppData\Local\Temp\10618e26c22a6e4b8ba8974271dba06645af0acce87d30df757d5cee6fe2e031.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2424-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dda0b45cfd1fbc4d8ed70fd558a48b68 |
| SHA1 | 77504e67633f7c2e98c41e2d5d6c7a83f7620cc4 |
| SHA256 | e7b66598328610ab1b697fe19695c39ebea3d37817f30f1832a9087adb569593 |
| SHA512 | a110fabe45f8cb95d8e7670f92cd271faeec6fb82059904736ac7ef50ba4effad30b506557aebd816fac2d27c7ec1af7ef8bb146b6305bd26f1250756e95a050 |
memory/1276-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2424-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1276-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | e82beac254c9dc7501874dd5264de98f |
| SHA1 | 9a8856081e298cfba5e2109ba8a26621000ee348 |
| SHA256 | bc32e867542708c234bbc8ec891d4a27cc1438827c95a1eefb1d1c5821addf3c |
| SHA512 | dd40e6d660eee732ff1ffe62d93631fffad8e009e55a5a7f8e1a733cbc59439e3ae8e4cfdd4538919acf5ec8f738b3a4e20734ade18d925b7ac977c4c6402cb0 |
memory/1276-15-0x00000000003C0000-0x00000000003EB000-memory.dmp
memory/1276-21-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 443c8857725c18aa694397c4011ee6eb |
| SHA1 | c2c3fc0871820fe247e0be998223fc0d546e4df3 |
| SHA256 | badaab640f39afcfd5d95ba3a49f1bfc1a1f5370be8ccd0d0a17f3ac2fad9c9e |
| SHA512 | cfda10ed856ed9d9e89f41ad689c80e64decd740381be20cbb12181a28f3ba80b9415fcb88896ed82dea4daef4ffb1ac1b7d6ce1ddc31fafc0c7413de9e5c22e |
memory/1980-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/292-32-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1980-35-0x0000000000400000-0x000000000042B000-memory.dmp