Analysis Overview
SHA256
10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149
Threat Level: Known bad
The file 10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 18:47
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 18:47
Reported
2024-06-11 18:50
Platform
win7-20231129-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe
"C:\Users\Admin\AppData\Local\Temp\10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b3fd6e181cebe1dd4193d3b79c86c467 |
| SHA1 | db25371e4788bb7db90a8a54ac5ceebe20995ae2 |
| SHA256 | 0f671a41ff777b720c73b4d9c0441b3c15078c57b66e01d426f31782a7a6b308 |
| SHA512 | f241dba4671ad953efbaf9e3f6a3f215d8677cde76d4e34ff6c80422bfaa8c74c3c27de96f9819bb3f349949d081eb3a7a04577ce881263ca55b456aaa9b896f |
\Windows\SysWOW64\omsecor.exe
| MD5 | 230fadc47690357045e08649181b138d |
| SHA1 | 1f5bf6e41374f160f29b4df3a406b6a6de5cf821 |
| SHA256 | 081c1b8888561242779a54b9c40b40ca651397af13a3ec956e06b6bc8348ddc1 |
| SHA512 | 69c595e92eeef7d35790682714ba42d8225439637726e3a1fe9714a76f6ad9258dae9df6b9ea59f47f67fbe2b4ad11f2958db0a618bd68e8b0fd8deefcbcd7f6 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ba2936b326c2e7f69a66fed9f2f56330 |
| SHA1 | 38c53f53467334f9121eb937650257cff0adaddb |
| SHA256 | ad2a5cc561e3697e25b392f39e4b4e1010e661104304270deabbc1f0bed0d47f |
| SHA512 | 997597328d659f50b2122f2f16faaff8c4703f68721565df03e0687e30eddf54d680d2900bd241e3547fc5981214a1adeb95815ebac9b6070df8c72a9c41dc9d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 18:47
Reported
2024-06-11 18:50
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe
"C:\Users\Admin\AppData\Local\Temp\10be9207f89cbc7d808698723e9bb229e63f354d3a53b962c97de3a5689a7149.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b3fd6e181cebe1dd4193d3b79c86c467 |
| SHA1 | db25371e4788bb7db90a8a54ac5ceebe20995ae2 |
| SHA256 | 0f671a41ff777b720c73b4d9c0441b3c15078c57b66e01d426f31782a7a6b308 |
| SHA512 | f241dba4671ad953efbaf9e3f6a3f215d8677cde76d4e34ff6c80422bfaa8c74c3c27de96f9819bb3f349949d081eb3a7a04577ce881263ca55b456aaa9b896f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 207fdb907fbc0347524dce90fd1bcbb5 |
| SHA1 | 51279480b87ec471364feb87b26b952d6c939293 |
| SHA256 | 961dacc669f1285684e922f143a29421eae358004ed29663ec9d07c3a453fbca |
| SHA512 | 24ecf734f3c35893721e7b3c873b200ddc24b28f212a0da15f4d357c514a1df1cd5ecee159217c2e468598685f40fac87b9a3b2f9f00df6cc47afe11dc9bda24 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2b6c88eb7a82e1f703479e44cfb3d227 |
| SHA1 | a408423b20adf32effe720a89734aa95f76ef4e9 |
| SHA256 | f2a5fe8bbaabda177db944f5c9f513b1621cee0d033272732d1d25b371ba9e4e |
| SHA512 | d90630eb73a005d007e7f6260e042125e034005371807a63ec9d5a268c848c614d27a149e025553e81b83a7bab2f171dd0b5cd767b0817b2641e371f98afaf6c |