Analysis Overview
SHA256
d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae
Threat Level: Known bad
The file d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 04:53
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 04:53
Reported
2024-06-12 04:55
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe
"C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/1580-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dc3d113247c3ce8123eaa923936460d1 |
| SHA1 | eb033d03ff2f7432076299b119c3c2db0fe7f612 |
| SHA256 | 5a0b1326d75675986346db5ed25625fa71a43a1b83a7a63d94125c2179614ad5 |
| SHA512 | 4a82bae20a19a33f17c61e2c43a741bf5c14fcffd40209897fef661f852516aa0a2f1f0c9deafc255da6967ce37a00d1d3d0bcbab0a57d79fee18ae8f0b201e6 |
memory/1580-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2652-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1580-9-0x0000000000220000-0x000000000024B000-memory.dmp
memory/1580-8-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2652-14-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 5f75c640dd92df7777b2ea1d913486a3 |
| SHA1 | 0cc000d161ac714f70738b6328f450ad9e3f4596 |
| SHA256 | 7f30f553dd0dd73538bcbd85ede27bb84fed84788c5665f8ed46cb82dce3a4c7 |
| SHA512 | 3988833d5223617f6ffc70ebe78b5396217df1e57a13f89ddf4973a04952e61cf3fe51fcdad329b0f994a7a55d5c96006d8bc46a1e8d151b6199fab1075546c7 |
memory/2652-17-0x0000000000810000-0x000000000083B000-memory.dmp
memory/2652-23-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7fc4669d393a18c90b9b5858099f0aa9 |
| SHA1 | 98e1a2593f08fe03cddc7ef09311d4dc61cc2928 |
| SHA256 | 3dd18eaac34c24f7206dda3bc16b840215c3ce3118744e64111846925024bf81 |
| SHA512 | 42b96dbdca328839298da6a6454c4cc49119dc0ddaa1d818250aa2d47cb276c9c4666570bcf5d45d957cdea8f035e590fa6fd7f903957dcfe4b6a1e721476526 |
memory/688-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/868-27-0x0000000000400000-0x000000000042B000-memory.dmp
memory/688-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 04:53
Reported
2024-06-12 04:55
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3216 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3216 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3216 wrote to memory of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1668 wrote to memory of 3668 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1668 wrote to memory of 3668 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1668 wrote to memory of 3668 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe
"C:\Users\Admin\AppData\Local\Temp\d7fd283daa1f7d0fae9046435ec692c5a1e4bdca93307efff979b72ef20e24ae.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/3216-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dc3d113247c3ce8123eaa923936460d1 |
| SHA1 | eb033d03ff2f7432076299b119c3c2db0fe7f612 |
| SHA256 | 5a0b1326d75675986346db5ed25625fa71a43a1b83a7a63d94125c2179614ad5 |
| SHA512 | 4a82bae20a19a33f17c61e2c43a741bf5c14fcffd40209897fef661f852516aa0a2f1f0c9deafc255da6967ce37a00d1d3d0bcbab0a57d79fee18ae8f0b201e6 |
memory/1668-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3216-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1668-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | efa71cb9ad8a61e610054887015740a3 |
| SHA1 | dabbefd99a1af75822e4df7d38dd133c72505264 |
| SHA256 | 50278bf37d78e519739479949085e4109b5272460948d9bbb3e7b8958784bfce |
| SHA512 | 3f0ffb5a9f574ddac1721eaaaf8d0005ef54fc2a8b7b52394dab7ba3d6ffad0c910b15e91aa5267e8363ccdaedf042e56a37923d310e2d50ad06f9caa9bd4977 |
memory/3668-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1668-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3668-14-0x0000000000400000-0x000000000042B000-memory.dmp