Analysis Overview
SHA256
72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99
Threat Level: Known bad
The file 72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 23:30
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 23:30
Reported
2024-06-11 23:33
Platform
win7-20240215-en
Max time kernel
131s
Max time network
141s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe
"C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/844-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cba0ec757caf583015b3c5c5bb4db7d0 |
| SHA1 | 7132f28e3c06f8746c30d89eaaa2de520ddd25a0 |
| SHA256 | d7548cf72a050bc99fda08236265249c9a36f309ad52619c1d3e43bc1aab2f58 |
| SHA512 | 22743e8a6256c8d1ce90c18153bdfb7f53c0cee467fdf4e0e30be4247fb21de093477bc80cf1cc837eb27dc86edad7d009617fc2120e6d1364420365257838af |
memory/844-9-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2260-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/844-4-0x00000000002B0000-0x00000000002DA000-memory.dmp
memory/2260-13-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 86f346254d16376eac05cb34036a7551 |
| SHA1 | f3720e765215ffb30c20f5d2e7c35c21d857d86e |
| SHA256 | c4fef0af764559e3e29a5fab72f57ed42d45bb027cd03ca2633aaa7f52f0d6ae |
| SHA512 | 644f4e25d17cb756ab623e88d7eba75c93c465d232f9e87a5746ae78c1689cc2e11aa3eecd84e4e13c5bc07da65b35108e8e036553af889e1b23d7ef4ac90191 |
memory/2260-16-0x0000000000500000-0x000000000052A000-memory.dmp
memory/2260-22-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1432-24-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 069eac3d15f8b3bfbe7cff8b09bd8ca7 |
| SHA1 | 4276f5471fd98a2082fb001dc8c1b9e80c6daa5a |
| SHA256 | a0a24a98c12f2132c7c1835dfab4597681ef5fb803dfc4b446d548a67689b497 |
| SHA512 | aeee4d49f9d21cbe742e18b03a8afd4981125d487f14a1b93a0360ea46971529fa3b6784c9f1461d9f63e7b3053b651c6dc0751a7a6029560acd88ff197c2280 |
memory/1152-35-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1432-33-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1152-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 23:30
Reported
2024-06-11 23:33
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5112 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5112 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5112 wrote to memory of 1972 | N/A | C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1972 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1972 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1972 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe
"C:\Users\Admin\AppData\Local\Temp\72a38dd42ae3f95b58baad3aa0c9f071e3759f9d6b848869e4d5ac0f293d7f99.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3980 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
Files
memory/5112-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cba0ec757caf583015b3c5c5bb4db7d0 |
| SHA1 | 7132f28e3c06f8746c30d89eaaa2de520ddd25a0 |
| SHA256 | d7548cf72a050bc99fda08236265249c9a36f309ad52619c1d3e43bc1aab2f58 |
| SHA512 | 22743e8a6256c8d1ce90c18153bdfb7f53c0cee467fdf4e0e30be4247fb21de093477bc80cf1cc837eb27dc86edad7d009617fc2120e6d1364420365257838af |
memory/5112-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1972-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1972-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | de5f1175080fca35673cd99844707807 |
| SHA1 | 69d1764304dcc73ff66a8851b42616c7bd1ee12c |
| SHA256 | e9232b03f830a8a6d05f7800d51c7920c472e4178b5755d076a6eb6923ae57ea |
| SHA512 | 23c9b0084259d13bb3ac48a4456c235ccb03a4db30973852df8fcd27b6a34566e4e22dbf346ec0386626babaf7cd4586b4c1e650d629c76556c7b228dde7af33 |
memory/1644-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1972-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1644-14-0x0000000000400000-0x000000000042A000-memory.dmp