Analysis Overview
SHA256
a97f4a8ee3c9463cd99a6a93940af4a837d1ae42e78152d955204e608958d3ea
Threat Level: Known bad
The file a97f4a8ee3c9463cd99a6a93940af4a837d1ae42e78152d955204e608958d3ea was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 01:39
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 01:39
Reported
2024-06-11 01:42
Platform
win7-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a97f4a8ee3c9463cd99a6a93940af4a837d1ae42e78152d955204e608958d3ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a97f4a8ee3c9463cd99a6a93940af4a837d1ae42e78152d955204e608958d3ea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a97f4a8ee3c9463cd99a6a93940af4a837d1ae42e78152d955204e608958d3ea.exe
"C:\Users\Admin\AppData\Local\Temp\a97f4a8ee3c9463cd99a6a93940af4a837d1ae42e78152d955204e608958d3ea.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2952-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2f02efaf9dbe902fce0627c5c31c1728 |
| SHA1 | 8d2853c97643f98a4ea90b35ce3a5c174c0f9d31 |
| SHA256 | 66255081728d07099760e50b6d5f5842ecb00894d32ffc14fe6225bc8e68341f |
| SHA512 | 9b6d93312c8fc5a244a30678e9cc557d8ed96e06c8d3198ee1671156856f70b1288a2fcad51e90ae0afc4682f758d4bf67413788c4ce3460cd45cbf4bf82d0ab |
memory/2952-4-0x0000000000250000-0x000000000027B000-memory.dmp
memory/2952-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/496-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | dc5c95eb2cc4f0f770886df45b38709c |
| SHA1 | 009cf7158f0d20445dd526e6683005fb6ce4d0a9 |
| SHA256 | e6c2fa8351ca73532501faf050a2b9bf29126324915af5c33288b1e814ed6dfe |
| SHA512 | 37a1887f135913e1218022abcc53ecdb7d4494453d5d9c3e9cd36821e817269d8454ea07e149727bc114d8b754e27295c89bd81e8629ccde9cc86358a9106620 |
memory/496-15-0x0000000000470000-0x000000000049B000-memory.dmp
memory/496-21-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6f8a47ee665b5e8f35f0355de2192be5 |
| SHA1 | 29a75982d16972bd39d6254a0dd7614166a3b912 |
| SHA256 | 5b5a9d7187d938923388e1c3011ac48234f93323d72b55949dd358f01c6c02a6 |
| SHA512 | 06bcc1540a47e994eab417bb28e481d9bb34f3de9adc84eca9c03a68abe5dd451ed16f666c3673c81301305618438e16a6baaae9621c72e0dd5a43f5e5c67682 |
memory/2564-31-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2500-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2500-35-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 01:39
Reported
2024-06-11 01:42
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a97f4a8ee3c9463cd99a6a93940af4a837d1ae42e78152d955204e608958d3ea.exe
"C:\Users\Admin\AppData\Local\Temp\a97f4a8ee3c9463cd99a6a93940af4a837d1ae42e78152d955204e608958d3ea.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4136-1-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2f02efaf9dbe902fce0627c5c31c1728 |
| SHA1 | 8d2853c97643f98a4ea90b35ce3a5c174c0f9d31 |
| SHA256 | 66255081728d07099760e50b6d5f5842ecb00894d32ffc14fe6225bc8e68341f |
| SHA512 | 9b6d93312c8fc5a244a30678e9cc557d8ed96e06c8d3198ee1671156856f70b1288a2fcad51e90ae0afc4682f758d4bf67413788c4ce3460cd45cbf4bf82d0ab |
memory/5052-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5052-6-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | bfbcaa7e5696504c751c703288ca3149 |
| SHA1 | e8e19c1710f3fa28ecded06d00aa2e676b77b23f |
| SHA256 | 436a1fafbd54179a109fd020babd9d54f366cf84effd7946d9479f0d1ec78338 |
| SHA512 | 77ea1475ad6fb62f0d4063935f323dbb2cd855f4d16d3eaef7fb527adafecd23a50fd86f238a10c5569ba2fae7d8098e1c7a402774afab2ab5a45f34bdc01a41 |
memory/5052-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1184-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ca596c7558c8754339c2d9b080e191ae |
| SHA1 | 0d6403c4f1ede3652c347bf95c20dcedc0f219ce |
| SHA256 | ef60edc2ee5572983df26a71c80cf096040c872ebf37cd1fa4a683090feb3322 |
| SHA512 | 6d795648332d8042cf8511f9673947ec4087d1edb3ae8129c9a8b3212ba37a8d8400bf86ba1e883d2cc832deea49e1264d5905a2705aaea9f73d79c4a0cd484d |
memory/1184-16-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2552-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2552-19-0x0000000000400000-0x000000000042B000-memory.dmp