Analysis Overview
SHA256
be6acc16e2773a24c7b73ad6516344dfc53e65a6dd056251d0f73291609fa216
Threat Level: Known bad
The file be6acc16e2773a24c7b73ad6516344dfc53e65a6dd056251d0f73291609fa216 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 02:40
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 02:40
Reported
2024-06-11 02:43
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be6acc16e2773a24c7b73ad6516344dfc53e65a6dd056251d0f73291609fa216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be6acc16e2773a24c7b73ad6516344dfc53e65a6dd056251d0f73291609fa216.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be6acc16e2773a24c7b73ad6516344dfc53e65a6dd056251d0f73291609fa216.exe
"C:\Users\Admin\AppData\Local\Temp\be6acc16e2773a24c7b73ad6516344dfc53e65a6dd056251d0f73291609fa216.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f43256e5074796a53679f875cbfaa3d7 |
| SHA1 | 72201a6ef9b36e9d4b11d75714f06c17b397cb92 |
| SHA256 | f75951390628255f789f81d76f3838d3253db24951e1134b75bc2b20698a666c |
| SHA512 | 02557ee78c07386180c7a952c0636ba4ba77b0e2c84efd8f8ec5267f2e73b7bea7b10466289dd3fe383862dffbf655dcdea58fcd895cf5923919d4d03957e91d |
\Windows\SysWOW64\omsecor.exe
| MD5 | 513297c5bcb4cd6e9e1c7bc0e5b3db4e |
| SHA1 | 661d276a136afebb119fa677c30e276fd431f25c |
| SHA256 | 077b48de44d0d7681e9b2782c17db1f38a24aa97918adc24d19c0221559b7d0e |
| SHA512 | 2a793f26c5678c494ba161a6a557dae76e58bd0385b551a81c57eb63389f4409dcf7f57ac926e84717693677a70330467035cefea063e5ced71371cd7cb93f5f |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 53c38249cf9843df852a61f1aae439d7 |
| SHA1 | 6b2d4f104a8e007463defb23385a8ad42c45ea7a |
| SHA256 | 7a74c6190c66ac00b5b0956b79eb3140bd9884f8e8b5657c9e511e2d9bc09b6c |
| SHA512 | 924d6593fb50c14062d2fb4d97bea2e8248eb12d05e7d539a8440b4b344d0cb4de521b98a3020ae48e9277163986c9956289cd5dd137510bdece240aacf35b47 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 02:40
Reported
2024-06-11 02:43
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be6acc16e2773a24c7b73ad6516344dfc53e65a6dd056251d0f73291609fa216.exe
"C:\Users\Admin\AppData\Local\Temp\be6acc16e2773a24c7b73ad6516344dfc53e65a6dd056251d0f73291609fa216.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 6.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f43256e5074796a53679f875cbfaa3d7 |
| SHA1 | 72201a6ef9b36e9d4b11d75714f06c17b397cb92 |
| SHA256 | f75951390628255f789f81d76f3838d3253db24951e1134b75bc2b20698a666c |
| SHA512 | 02557ee78c07386180c7a952c0636ba4ba77b0e2c84efd8f8ec5267f2e73b7bea7b10466289dd3fe383862dffbf655dcdea58fcd895cf5923919d4d03957e91d |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 3806ac3d8e9eb28a833053da9f7155f1 |
| SHA1 | c312decb8faa7072e86d2edfaa64ec28ca78b9bd |
| SHA256 | 92078e6c05dbfa7d94683d52bd3b0207cf667aecdd752f1b75e0991d052626f1 |
| SHA512 | e1a49d37d40d5e17b80d4a178feabd3bf02e2f492cdbb5798e17ebbb73857fd203df7f9c01f89312fdd771b604845a0645bbbf4c20dbdf11a7744359960e83c9 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fd2d8ca95d3bdcf248481228c8bd32b4 |
| SHA1 | 7ef2cda042c2aed1fcecef515ec3306c038bd50c |
| SHA256 | 7d5c6c13e77d5b48e9f7ae7f33a6904af14bf01f441526e464e06d0b5f9c553f |
| SHA512 | ed5cc7edbb563dc5f6f0286685ab965f602e83bd92d4f0106c14ed3c2fa75d0169bc6abd1a34b1764fcc7e20c726dfc24f7da56057740965b5c4475a2eed4e7b |