Analysis Overview
SHA256
0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984
Threat Level: Known bad
The file 0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 18:40
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 18:40
Reported
2024-06-11 18:43
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe
"C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 889e9bb64da97cfbbc93e1f51ae5af47 |
| SHA1 | 5d84f03def568f49bd916813ed74092c17173e1b |
| SHA256 | 6599247005b28f97246baab457ca3e5294cb55512cf36caa5cc936bc5ad50280 |
| SHA512 | 553c3289f5e6c81251fb7f954ff4b6d8c71d969d8250d2070cfe74b14aa0e34cf48989edb5fb715e65767b33c967f77fbf535f14a41ca8d63b30613a72212e8d |
\Windows\SysWOW64\omsecor.exe
| MD5 | 46eb9a411480fc1eb16c23ac476f4715 |
| SHA1 | 7ffe21c8b217c6187386fe0eb279c19650466993 |
| SHA256 | a797387cf1c2e71ca8400d1ab6a6f309a87c7159f2a8c6a4d00144278e32e848 |
| SHA512 | a187a802d92324508188f996f5e67a63f7d9cebdb20b6b907e6d25433b08a8436c41d7801e85643fcf765df61247b483a53b9b1826a477b9ab01c7dd470f932c |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5079f95d85a95a003f35ea28e5fcf283 |
| SHA1 | 4edd40598b2eb0f34fcf42686219b74213877d4e |
| SHA256 | 565fa820c51ccd835861cd25d11ea2fb30a23105c420d49803056425a33e8ff8 |
| SHA512 | fdac16cecd05d252cc14f7f10ece8af3c4e50ad4b37b4aca5a1c6b361f0a499dca368f6ce038b4aacec2fb5e2b9bd870d65a8aa6e510aa9996650dcaa74bc9bf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 18:40
Reported
2024-06-11 18:43
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2560 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2560 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2560 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3272 wrote to memory of 3120 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3272 wrote to memory of 3120 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3272 wrote to memory of 3120 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe
"C:\Users\Admin\AppData\Local\Temp\0d8e010b3e9b96b1814f72e86e70f6570fe56eea03f8f760c6f4cd3c91e5a984.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 889e9bb64da97cfbbc93e1f51ae5af47 |
| SHA1 | 5d84f03def568f49bd916813ed74092c17173e1b |
| SHA256 | 6599247005b28f97246baab457ca3e5294cb55512cf36caa5cc936bc5ad50280 |
| SHA512 | 553c3289f5e6c81251fb7f954ff4b6d8c71d969d8250d2070cfe74b14aa0e34cf48989edb5fb715e65767b33c967f77fbf535f14a41ca8d63b30613a72212e8d |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | e301cb3873c2638ee9ffd16c4c0567dd |
| SHA1 | 30cf9d0f7383c611d943a820a2b1185673c57fd1 |
| SHA256 | 33ca73575ce8c8963bc8c67bcf9e0219ad8127bc251ea970aab75352d9f66797 |
| SHA512 | 216b08dfc491e56aae60ec130ea598a682a7133c75a8a1183cdef9b90cc57ac3bde819d47c37ec91ef9ea8eaaeff49eac7f0637409bdc6f0f3784127649a62f7 |