Analysis Overview
SHA256
ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de
Threat Level: Known bad
The file ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 19:07
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 19:07
Reported
2024-06-10 19:10
Platform
win7-20240221-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe
"C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2328-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a7f31a4455044935b61af7af119c39ec |
| SHA1 | a9e6bb3ade77fd041178f61c79c2445782d16daf |
| SHA256 | d7fc0e31f36dbd4b9feef2a2c644ebf3cea080f179370de88148fc8efd84b719 |
| SHA512 | 8350b14bde59b349940a53bd2e27581b3bb3d6b37b3d2749d81163fc16f75e401dc8dbae61f4462916cc02ca54c9644506e21c98d9527d4f32b3d844c894bab8 |
memory/2328-4-0x0000000000220000-0x000000000024A000-memory.dmp
memory/2328-9-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1508-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 8f79288573d94247985574dbd9418f0b |
| SHA1 | eb263b672f6afeb385ddf0e3a09c5b98915fbf40 |
| SHA256 | b1c62da4132ce2a471de4783a25a7a60b181e3cf9564090ed0c17cc1f68b0a3e |
| SHA512 | 4037c71f38dc550c6d3190f2ef39fcadbffbf56a9bc1e3d8b5a496b8ed9d4d27fb1140836dbf374d04d0c846369c7af9a6e065cbf45a0fdd9ae8d04521906701 |
memory/1508-18-0x00000000003B0000-0x00000000003DA000-memory.dmp
memory/1508-23-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f165ed1e7f8dd8a31e76a225b4c4edfa |
| SHA1 | 4b5e777702a63900f62c70aef93db0007f2b7e1c |
| SHA256 | 4b24807e3017ca949d79dbb19f08746441aeadea4b348e58001c7a1ef5e94330 |
| SHA512 | 576bf902cbfee114a45e651927012d61fa157ef37f4490dff583f54094e11e483c96d1231bdcdc572610584d30608e47f8f7b2886dd5c5d175c99e7a9b8a30de |
memory/2288-33-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1648-35-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1648-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 19:07
Reported
2024-06-10 19:10
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3148 wrote to memory of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3148 wrote to memory of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3148 wrote to memory of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4896 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4896 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4896 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe
"C:\Users\Admin\AppData\Local\Temp\ec8b859f6e7e0ad553c484d1dabb1832feee70d0362e60fce49176d763c904de.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/3148-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a7f31a4455044935b61af7af119c39ec |
| SHA1 | a9e6bb3ade77fd041178f61c79c2445782d16daf |
| SHA256 | d7fc0e31f36dbd4b9feef2a2c644ebf3cea080f179370de88148fc8efd84b719 |
| SHA512 | 8350b14bde59b349940a53bd2e27581b3bb3d6b37b3d2749d81163fc16f75e401dc8dbae61f4462916cc02ca54c9644506e21c98d9527d4f32b3d844c894bab8 |
memory/4896-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3148-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4896-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a6149556c69e4bc1a7eb37a045a3247d |
| SHA1 | 53395412a5cae54b4ee6fcf429153ba637d7f4ec |
| SHA256 | c48e3f8c9607ad4503cefa93a31849c51d993e54d59f48cceea6529364e65ab2 |
| SHA512 | c85b14210464c6eebb10f614a7f311b72d6c5ae589f4bbd50164534fd1ff5e35fc7e929a2560cd32e3b666a61b79c376ce6cad40fae2dc2bebf058534a1f7612 |
memory/4672-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4896-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4672-14-0x0000000000400000-0x000000000042A000-memory.dmp