Analysis Overview
SHA256
9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc
Threat Level: Known bad
The file 9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 01:48
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 01:48
Reported
2024-06-12 01:50
Platform
win7-20240611-en
Max time kernel
123s
Max time network
132s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe
"C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ee44d11aa472fc8a0086db8eaea795a6 |
| SHA1 | 37de46571323c39ef5685e6da7e4bc140b4cabe6 |
| SHA256 | 24bb862aaea4f3b147b0fb878137cf9f8e23d8ace61f90404cc728de2f51a5f1 |
| SHA512 | 2de14385f3da92de48fc819774ff67e6c163db508969bb0d3bd6a087831699ce756fc1da4f89c2f57d2fb011fd19c8cc5e2831e36318ee13f9de40d01eadb693 |
\Windows\SysWOW64\omsecor.exe
| MD5 | d828c8c0728366d9858377d7eaeac6d2 |
| SHA1 | e0cf73168935a2e28c882a87dad33affbb691883 |
| SHA256 | abb41b010f6639bac0813e74e50a3c3ca174f9576e26d98d1e3edc93d27d308f |
| SHA512 | d85e2c434919be1c6358e2a41d1fa1be405edaed3ecb403c917e9e3ea4a8745f4224719e0984053aa9cd2a67d2f179b5f69b6a53f2e80a2f03655716bd795cdf |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 10f147d4e162cedebe5c66ececa51301 |
| SHA1 | 5eaeb67e342c00698c68d64ca9651f23c9bae5b3 |
| SHA256 | 9891c3e45be79b691e0febe524c692255eee06aea657582a0100e2e6f45aa3e4 |
| SHA512 | b334e86e889d2c07ff86563d94949de44b1ffa62439548d67b931b5003d90ca2fa042697f07b6dd83ba9b5131e567499eb069fdedf2cd682067c6d3da8b19dc0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 01:48
Reported
2024-06-12 01:50
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3204 wrote to memory of 4912 | N/A | C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3204 wrote to memory of 4912 | N/A | C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3204 wrote to memory of 4912 | N/A | C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4912 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4912 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4912 wrote to memory of 1844 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe
"C:\Users\Admin\AppData\Local\Temp\9fd1ec1f87fec0a0bef4d9175534b5e6cd23a097c1eb8d44a3a96aba1f086abc.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ee44d11aa472fc8a0086db8eaea795a6 |
| SHA1 | 37de46571323c39ef5685e6da7e4bc140b4cabe6 |
| SHA256 | 24bb862aaea4f3b147b0fb878137cf9f8e23d8ace61f90404cc728de2f51a5f1 |
| SHA512 | 2de14385f3da92de48fc819774ff67e6c163db508969bb0d3bd6a087831699ce756fc1da4f89c2f57d2fb011fd19c8cc5e2831e36318ee13f9de40d01eadb693 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ab797641d0090986cc21f081307fbaa6 |
| SHA1 | 999a6054f1b47265a916b7a97dda7b565176438f |
| SHA256 | 828c5fff6ab2b8c9a5fb41e19904fa20a8e4a26c1c3835933d1dd64044c94e60 |
| SHA512 | 5fd75008f2b799170e06bae357af670243f46074c7ce59fbf697455460b5fd999d99bbb33d073b840df40fc0cf2a8cc69fb4c6cf4c8a7730e04a0e41edefb54e |