Analysis Overview
SHA256
4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6
Threat Level: Known bad
The file 4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:27
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:27
Reported
2024-06-13 22:29
Platform
win7-20240611-en
Max time kernel
128s
Max time network
139s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe
"C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | efae023337b78c5bd82b6ea1e6eb5f79 |
| SHA1 | 1225b6139d8917cb60f34f44d66796fe0d5c89a7 |
| SHA256 | b212510526f882276126c7f8d6be0ef59acc2257d91c27692920e4cc66631da7 |
| SHA512 | 2522794b673918ef53690b8ec40160849e944d779006036bf851e650b86c7055f2419f1cb1a37b4183563d5f656674e77ca67313c2b2493d8b00afbea9a4b0de |
\Windows\SysWOW64\omsecor.exe
| MD5 | 4d74bb99283e275a746e729f1c2b8514 |
| SHA1 | 544d0b608978d54494d541260addc853de3765bc |
| SHA256 | ac0bf1b9bcfac45df27c3fb379b5178395aa7bee1a095f6f22026461f384dfcc |
| SHA512 | 53faa827e0484d18c42691ff809b10d266b6faf58d1cea7fe5f3216fd344409cd3027be94af4b711dda8ffdf4d2312adc063b2f69bd08fc853f956a5fc20f61e |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bef28ef47d75300f1c0981796d04d95d |
| SHA1 | d1275d1f888de024115952fe4ca1c04865fb54e3 |
| SHA256 | 6af7a6799d1c750cb9ba24f596995f45a45a55bb09957dd8c6a7180e6aa68fb5 |
| SHA512 | 96527f791958c1bd774a898544a20e881cb7d33dce05486aa76a4580bf8fe77b29dda52fed53776b45983931f1e5d3d73baa205e1fdcbad1b675d19a3aaba4be |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:27
Reported
2024-06-13 22:29
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3404 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3404 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3404 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2176 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2176 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2176 wrote to memory of 3972 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe
"C:\Users\Admin\AppData\Local\Temp\4a36577154f8e0edf708a4f11dfbb5cb51aaef3df9edbf41116eb0491c1bece6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | efae023337b78c5bd82b6ea1e6eb5f79 |
| SHA1 | 1225b6139d8917cb60f34f44d66796fe0d5c89a7 |
| SHA256 | b212510526f882276126c7f8d6be0ef59acc2257d91c27692920e4cc66631da7 |
| SHA512 | 2522794b673918ef53690b8ec40160849e944d779006036bf851e650b86c7055f2419f1cb1a37b4183563d5f656674e77ca67313c2b2493d8b00afbea9a4b0de |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 1713800ccaa40451ba29ac507fd0a677 |
| SHA1 | 4870de94170606c6a2989d6be8864543d5bcba23 |
| SHA256 | faaa36ae04a79770cb30782f5573ad5841e8183f19dfeb67b5364e3c5d035ace |
| SHA512 | 10b8c964302686222b41d8a9a3293e156ec62aa5fb601271b3b4ea4df841f0375ac335a40640f51c447bd6533252e14efcdf1d9bf5a36d4eb416b0301120c6e8 |