Analysis Overview
SHA256
9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2
Threat Level: Known bad
The file 9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 20:10
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 20:10
Reported
2024-06-10 20:13
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe
"C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2164-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 58e01bfc03818031d0271bdb7fe809f0 |
| SHA1 | 5743d43a2568a37d7cc92313755fa539992db91d |
| SHA256 | 01a4e5ecca0621a1e8e3dfe028dd808259b75b2a10879a739e3508f67dbd4894 |
| SHA512 | 6882f74757932669e8e4a550cc4ee012463c599da044d71a48dc23c43f33335996bf7e5c50b2b93e596efa34b1c8afcfc755481a0c510948b6f6676cdf628373 |
memory/2344-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2164-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2344-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 30b0b1b3d9d1b048dab91fc39fb0de7b |
| SHA1 | 0f3bb3b0a3d89b040705956d959a7ac512e5425a |
| SHA256 | d355bf730c82496c46c145e5c62ec31d5abda4c23d1514844037b5a70febacdb |
| SHA512 | 4d03a4c59285be08823a93ce9a7d21b730fbb7c8f381d06497ec2a3fe64abe3cadfe132936e02b872b90fe0d869a3bb393acb15a57566d6ade02dbec4346e779 |
memory/2344-15-0x0000000002200000-0x000000000222B000-memory.dmp
memory/1880-27-0x00000000003C0000-0x00000000003EB000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 70163136690aab5837a8c95997d8cf01 |
| SHA1 | c4a367b2207b88e30992ba4129425f858bb7f0c0 |
| SHA256 | 6864438f75c36cc61c671c1cdf297483f8ac9e4118304a2e6ff11d348af5fe77 |
| SHA512 | 8bd84d9573239e23920b56db02eadf442fc1fff03176c8a0f6883fbb768452becc35d3733234e44e35f4379d6e0ec11a1b7f94f7a0a82d72aabdfc557d788f27 |
memory/2344-21-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2328-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1880-32-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2328-36-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 20:10
Reported
2024-06-10 20:13
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe
"C:\Users\Admin\AppData\Local\Temp\9e1112f01b82a5708f20b7d62ee1238bb6ed0c8a9d6f827314b760d3b9c426b2.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 58e01bfc03818031d0271bdb7fe809f0 |
| SHA1 | 5743d43a2568a37d7cc92313755fa539992db91d |
| SHA256 | 01a4e5ecca0621a1e8e3dfe028dd808259b75b2a10879a739e3508f67dbd4894 |
| SHA512 | 6882f74757932669e8e4a550cc4ee012463c599da044d71a48dc23c43f33335996bf7e5c50b2b93e596efa34b1c8afcfc755481a0c510948b6f6676cdf628373 |
memory/2908-2-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3284-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3284-6-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f18464a55107b68618bbe7739bffe046 |
| SHA1 | cafeab73729d31509f4acc2d4d349945be1c55fa |
| SHA256 | 8d4ef4d898397462a7ac30be6a379f379f95232a6c8471ba3d65210146d1bc4c |
| SHA512 | 14b1356e6efa817c06ac603d1105041855c12d3b8922993438b7d8c4aa070a69dcc3c9fafe5c1698b24a36ada306b22e92cc06212334919dba6c8599eb5fa144 |
memory/3284-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3352-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cf1f02994558939c6d24187d12d39798 |
| SHA1 | 00b81f1b7a1412e8e29b07471836b674abaf5bad |
| SHA256 | 6cf7f7ab907937b366a5d9bfce22277d179deb750025eb5e74ffa681d4721048 |
| SHA512 | d7fba2f6af04a2a07cf81893dfe0a0fd3152a243d8cbd63b36da7df3517ef9b2ae6ca1453bf9249b632437a9349ae3320564d555613faed9f0b826f23cfdfe51 |
memory/1400-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3352-16-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1400-19-0x0000000000400000-0x000000000042B000-memory.dmp