Analysis Overview
SHA256
d52b9c1543034306fe6b394e21fbaa4bfe5cc0ccaba17514ae518700be3b9d9a
Threat Level: Known bad
The file d52b9c1543034306fe6b394e21fbaa4bfe5cc0ccaba17514ae518700be3b9d9a was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 03:43
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 03:43
Reported
2024-06-11 03:46
Platform
win7-20240221-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d52b9c1543034306fe6b394e21fbaa4bfe5cc0ccaba17514ae518700be3b9d9a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d52b9c1543034306fe6b394e21fbaa4bfe5cc0ccaba17514ae518700be3b9d9a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d52b9c1543034306fe6b394e21fbaa4bfe5cc0ccaba17514ae518700be3b9d9a.exe
"C:\Users\Admin\AppData\Local\Temp\d52b9c1543034306fe6b394e21fbaa4bfe5cc0ccaba17514ae518700be3b9d9a.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2232-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 23348e0544f48e986d072884c823944e |
| SHA1 | 3f90a837cdb1ccc8e9e95dba81c928e1b7541607 |
| SHA256 | c24ad1bd615b80a14109e144881b5282fe2bd1c01ecd0278dae02be9f451d82f |
| SHA512 | 0d7ed9504dca804262ff15893dc8614876bdfc51c4de14c6635a8b3ce38ad5def3f691d54e7167c1d30e611a4f1affc0ab2620d48d466e8df5a5a6f7d11e0c72 |
memory/2232-4-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2232-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2968-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 891d5e49bc14929c7324e6fe8d12b793 |
| SHA1 | b46b03476624aedebf28431b11186d47b59a01a2 |
| SHA256 | 325606f5145130af010ab9203b53323cfe5c0e8c945695c50b97dcce94479030 |
| SHA512 | 33da9d0e6ff7a2e4b01630b3ef01f78efb038bcc9837b157e2f36731f51c3139efdc53b320975d1f3756583ca4f7d34b5c59e4f0c7c7fa1d7692b350ebfbd49a |
memory/2968-17-0x00000000003B0000-0x00000000003DB000-memory.dmp
memory/2968-23-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3963a4a61cbd9c0ea4fcd6d0b4ba3ac0 |
| SHA1 | 71f7415450b8b2d59206e5c06886b3c9335b4ae8 |
| SHA256 | ef28d616b4af265c5e2026d64334bd13ccb041c2ec8b1509884523dc9d4236c4 |
| SHA512 | 12a914151e1d3ffa8bf8a0420818b7c407dad2a833c737ab3efcdaf8340f33a5a81efb3f61c061089dfb04f1270f6ad954aaeba04766d29684fee0d6d0168416 |
memory/2416-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1988-36-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1988-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 03:43
Reported
2024-06-11 03:46
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d52b9c1543034306fe6b394e21fbaa4bfe5cc0ccaba17514ae518700be3b9d9a.exe
"C:\Users\Admin\AppData\Local\Temp\d52b9c1543034306fe6b394e21fbaa4bfe5cc0ccaba17514ae518700be3b9d9a.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/372-1-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 23348e0544f48e986d072884c823944e |
| SHA1 | 3f90a837cdb1ccc8e9e95dba81c928e1b7541607 |
| SHA256 | c24ad1bd615b80a14109e144881b5282fe2bd1c01ecd0278dae02be9f451d82f |
| SHA512 | 0d7ed9504dca804262ff15893dc8614876bdfc51c4de14c6635a8b3ce38ad5def3f691d54e7167c1d30e611a4f1affc0ab2620d48d466e8df5a5a6f7d11e0c72 |
memory/2944-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/372-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2944-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ddc3099d42bcced96590c187dd78af8b |
| SHA1 | 5ca68354f018d9f771f7ff38a2f18986dcedbe89 |
| SHA256 | f13984687a927fe496688e0124e4ea44ac1c370caf93ebcf31e6a42bcb2bf60b |
| SHA512 | 2ad002cd2dd2578c4c5420450fe5f26a5d8d4c20033d22587303497fa14e417639ba3afcab1ba13feb71283969acebb604daa03bc7ced5bc6e1cbd2942a66fac |
memory/2600-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2944-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 846a64e6f8f8dcb527087de205a3abee |
| SHA1 | e22e725b70f1b2903ab6643496c8e2debdef3985 |
| SHA256 | 3e124bb10759bc2211848476b4cdf0eaef0d81bfc95ad84aed6ffd48e02efa74 |
| SHA512 | f6aec62859441a79954bfb82490d26728024d55efc2fc789da8dc5c81861505e6d6cf0d4fe5f3be76867d13ff6f18bffb4deb8a19882034625f3b29e991cd013 |
memory/2600-16-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1376-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1376-20-0x0000000000400000-0x000000000042B000-memory.dmp