Analysis Overview
SHA256
16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d
Threat Level: Known bad
The file 16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 19:09
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 19:09
Reported
2024-06-10 19:12
Platform
win7-20240221-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe
"C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 30b8beb2a565bceba6a3043f5c333a37 |
| SHA1 | 3b16ba678e6e9effa246643451d11e1064d01515 |
| SHA256 | a61e4e5ad6180c3acef4da08872419be4a1923b17834375459de40053d4ca296 |
| SHA512 | b2bec55fea63b9b79df887c2360ff892d542abe14cb130aff64268ca8fe6c377464454fba5e53796ab6f0c7f07172709771f4bd060b25f9f9d5e393269005429 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 7c20227215a71987ca31528890386d68 |
| SHA1 | 463a76f988f172a7784da8dd18ea66d24ab37294 |
| SHA256 | 7addf2cbaa7b3841cdb6688e63fd29a5a59987730e9027770ef52efb53178a21 |
| SHA512 | 545c741b37cf63b8577546b3d82482933231013b69b8af77fa312c8bee868a6584a54a7e7db0fbef60bad02017536d66402b097d628a64c851ef14703d9de4ad |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ccdf09eb41b1423a910161c2372bf04 |
| SHA1 | 8f38b1d8896112da1d02730b0e39d64909388633 |
| SHA256 | 81b27457b3f25073695c49e9f40b68885a4af3076347864b8cde3a00557770ff |
| SHA512 | 6f5f70bf77079afc51ac4b3f1d1e3c857525704f5000c289b2f64187c4b8582c566e09600e32928c6453f94b1229168adbb599990d8a89a3c8b09497b6f955fb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 19:09
Reported
2024-06-10 19:12
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4372 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4372 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4372 wrote to memory of 748 | N/A | C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 748 wrote to memory of 1020 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 748 wrote to memory of 1020 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 748 wrote to memory of 1020 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe
"C:\Users\Admin\AppData\Local\Temp\16c3d1ef15507f44079bca27c4bdc4b75c7a460de84b1567bddfed5ff8bc2c3d.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 30b8beb2a565bceba6a3043f5c333a37 |
| SHA1 | 3b16ba678e6e9effa246643451d11e1064d01515 |
| SHA256 | a61e4e5ad6180c3acef4da08872419be4a1923b17834375459de40053d4ca296 |
| SHA512 | b2bec55fea63b9b79df887c2360ff892d542abe14cb130aff64268ca8fe6c377464454fba5e53796ab6f0c7f07172709771f4bd060b25f9f9d5e393269005429 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | dc58b3c20e4420d4c2b9794a6f112025 |
| SHA1 | 9c1f165dea5f431757b198cf37885106ef9804e1 |
| SHA256 | 8edee621c6956bef4286436ae9c8c8d46bad5dd484498438ba2a340f57e0e8dc |
| SHA512 | f3d9e04e33273da1ef121cdcfdee6ee06d1691263a51ebf98dcc4d344cd4ed4ea04654581fbb574e4634b3ac8ce3fe76395118ce8f1fa5186952fe19500300dc |