Analysis Overview
SHA256
3fcf9b83fa55ac85dd107e09c533195a7a15e6f01fbf80462eb1bf331399a19e
Threat Level: Known bad
The file 3fcf9b83fa55ac85dd107e09c533195a7a15e6f01fbf80462eb1bf331399a19e was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 21:15
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 21:15
Reported
2024-06-10 21:18
Platform
win7-20240221-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fcf9b83fa55ac85dd107e09c533195a7a15e6f01fbf80462eb1bf331399a19e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fcf9b83fa55ac85dd107e09c533195a7a15e6f01fbf80462eb1bf331399a19e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3fcf9b83fa55ac85dd107e09c533195a7a15e6f01fbf80462eb1bf331399a19e.exe
"C:\Users\Admin\AppData\Local\Temp\3fcf9b83fa55ac85dd107e09c533195a7a15e6f01fbf80462eb1bf331399a19e.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2124-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 64fcae524ef7cedac8b6b21968d30cba |
| SHA1 | a21703406f1eef754293a4cf6e3b29c06ba85b09 |
| SHA256 | 684c585c216d78e5713e855a795c64260a5f7001df98c5cc4f819d5cad0de848 |
| SHA512 | 5c1cdfae28693b8db5e7ab4fff3db379a9d897f2833b65506ade0c335665f9b7803a49afa861a66a8e7c17f76e34b550f073453be8d9ce5b5cb9e978a8bffe9b |
memory/2124-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1200-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1200-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 908d2d5ebd228422f5513176d30f9f40 |
| SHA1 | 604e55618b996bd500266f058a0ef630a793252a |
| SHA256 | 9c59cad842a0b97983218cea3753222f4816b0f70aeb35ba42694c88695a9776 |
| SHA512 | d4e7e7f35022f75d10edb29800e565ed244c3b39f70f4707d5601864ea50a340af8537d3cd6fb46e61890ea0c60ed6a61a4fc2b00fbe8ac0b4bd1711bdf8b57f |
memory/1200-17-0x0000000000830000-0x000000000085B000-memory.dmp
memory/1200-23-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ae206c6883cb678581db18c21c37f453 |
| SHA1 | f41a9b509b29bf985e40a9a1ee4fc106ad66d113 |
| SHA256 | cf369c65f989340ee774694ed0c007de06ad86fef3a7ea0c7ff38681313c51bd |
| SHA512 | 3ef4c9bb487aaf216cc5bdeaf0ddd5e898a8e69f0759111d86e475f3eb04a08cbe0f48ace6bf4297421d5ed300edb2ba82180942647c7e091b63b3b6a7d341ff |
memory/1668-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1828-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1828-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 21:15
Reported
2024-06-10 21:18
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3fcf9b83fa55ac85dd107e09c533195a7a15e6f01fbf80462eb1bf331399a19e.exe
"C:\Users\Admin\AppData\Local\Temp\3fcf9b83fa55ac85dd107e09c533195a7a15e6f01fbf80462eb1bf331399a19e.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/440-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 64fcae524ef7cedac8b6b21968d30cba |
| SHA1 | a21703406f1eef754293a4cf6e3b29c06ba85b09 |
| SHA256 | 684c585c216d78e5713e855a795c64260a5f7001df98c5cc4f819d5cad0de848 |
| SHA512 | 5c1cdfae28693b8db5e7ab4fff3db379a9d897f2833b65506ade0c335665f9b7803a49afa861a66a8e7c17f76e34b550f073453be8d9ce5b5cb9e978a8bffe9b |
memory/440-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4180-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4180-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f963ec15c8f3469b0af1d92d0a2678c2 |
| SHA1 | 896845b187a8ff2095c1ec5e88a26fe278da35b8 |
| SHA256 | 5da56afb71dc7f1ad3cbc725fdcfe17b749b927f190240711fe09d283e27c988 |
| SHA512 | 9c65be54ec0617b66f500688aa9e8e4412756a0bc0d986c2edc2b8b0752329408aa296dda55786be1c2a0334a6cc575a0d63960975d6b0cc3fd003a541146e55 |
memory/4180-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1220-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e7369ab4fcb33ce63ac72ad40c657e75 |
| SHA1 | 7c57cdb979b003da212d9dfc68472857af6c712b |
| SHA256 | acd99abad6386f0e9c0da099f73626befd1ff2e0c75b00bd347b3ffe09591bcc |
| SHA512 | 3b6b7ba3253abb451c117275c5032b69188aadc08a0b0c7fb21e9878cf84c0654d477e1bc9532ecefb1f78336694082f86ec9c7e54096bdfa25a2e86a5a67721 |
memory/1220-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1700-19-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1700-20-0x0000000000400000-0x000000000042B000-memory.dmp