Analysis Overview
SHA256
23f1cc2a85f5d3d8477e30bb590f49a5cad85e6852013aafe3fd3956edb6daec
Threat Level: Known bad
The file 23f1cc2a85f5d3d8477e30bb590f49a5cad85e6852013aafe3fd3956edb6daec was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 19:44
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 19:44
Reported
2024-06-10 19:47
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f1cc2a85f5d3d8477e30bb590f49a5cad85e6852013aafe3fd3956edb6daec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23f1cc2a85f5d3d8477e30bb590f49a5cad85e6852013aafe3fd3956edb6daec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23f1cc2a85f5d3d8477e30bb590f49a5cad85e6852013aafe3fd3956edb6daec.exe
"C:\Users\Admin\AppData\Local\Temp\23f1cc2a85f5d3d8477e30bb590f49a5cad85e6852013aafe3fd3956edb6daec.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
Files
memory/3016-1-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 87a76cd035092ba6167c1f7a0dc3f429 |
| SHA1 | 2d2467c570c9a4e55be26689fa6294d89e101f93 |
| SHA256 | 135cd542cbd81dd60f6e2aac0ff93c83a63aaf963b7b892372ab182eb012a60c |
| SHA512 | 3f680a87322fadcfa4befbd8239d9d610eb30e08f6237d456e56685f0715becefe4ba2eebdd9e21ac6b5b5e9373dd5e15224a3cd2b79c03f4e7c580d852ffc38 |
memory/3004-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3004-11-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 077e4f5c91be8709ebf5604183ba5148 |
| SHA1 | 009a855ed77aa0e539c148826bb7ca878b88f9a8 |
| SHA256 | 55b727f3670d5ca8c7485785f68ddaec1056076a98c6b8afa2b840e309a6ca34 |
| SHA512 | c98d600b79d424eb2b5dcd6241f938421b502a16dea4348a43dab7518243f3b9c5c68c735d9912d63fa895db136b996a57885e72d148b260e2a8f9ab3013714b |
memory/3004-14-0x0000000001F70000-0x0000000001F9B000-memory.dmp
memory/3004-20-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 41c3a55114501f7d982c4d7aa7f20d39 |
| SHA1 | b3a6d54b9ecb063a41dcbdb9d7a695f87b2e1752 |
| SHA256 | 5d454c64511713a03dad1b4eb42c24e4d39d2cf4aeb90d9a9ed4240f8a1836b8 |
| SHA512 | 84910586179ba7cbed39a93bd0b6d8127a77d02b05a8051a4645695a21982db58e7d91d0de4c626ad88fb8601b3cace57c4d88417a929bf6ffcc3521031ab003 |
memory/1616-30-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1756-32-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1756-34-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 19:44
Reported
2024-06-10 19:47
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23f1cc2a85f5d3d8477e30bb590f49a5cad85e6852013aafe3fd3956edb6daec.exe
"C:\Users\Admin\AppData\Local\Temp\23f1cc2a85f5d3d8477e30bb590f49a5cad85e6852013aafe3fd3956edb6daec.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/4920-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 87a76cd035092ba6167c1f7a0dc3f429 |
| SHA1 | 2d2467c570c9a4e55be26689fa6294d89e101f93 |
| SHA256 | 135cd542cbd81dd60f6e2aac0ff93c83a63aaf963b7b892372ab182eb012a60c |
| SHA512 | 3f680a87322fadcfa4befbd8239d9d610eb30e08f6237d456e56685f0715becefe4ba2eebdd9e21ac6b5b5e9373dd5e15224a3cd2b79c03f4e7c580d852ffc38 |
memory/4920-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4040-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4040-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 0ff6be9a80ec7f52f0435f46f1cf5fec |
| SHA1 | 9c93d4adff66d672bf6fb49e6ae85f684d489058 |
| SHA256 | a7b12c121500e541625347c3fbf93b48404d0a801c451d1a124f69c562bae906 |
| SHA512 | 8556c3f0577ef90d80a2776ed2d4cb1280b1e9a6c4b179250a062f1aa87a3af8dd750d76217ece7b25ee2e365c8a595f7e6e36e17afbf742c4158f46141a7176 |
memory/4040-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/424-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3d1a464b03e6994317a1c32d6b364efc |
| SHA1 | 5af03ef9e2df9199c45e0a8e329884f63c99d821 |
| SHA256 | 42312a0c61c6ce992189e0ce1486163bbfcd4efca27be7cced3d41eaef573dd8 |
| SHA512 | 0bc3b8339a71a6b8c05f6d70f9609cc0dfba52c6a4df817a139f8efdca83bda9bf9f51505fbf69b0b9fb55901fe2817436d7fb74f49bfd9afdca9c3bad07fedb |
memory/424-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4136-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4136-20-0x0000000000400000-0x000000000042B000-memory.dmp