Analysis Overview
SHA256
533301b54cf0ef69842a4ea9592e5ca39c85d010cc98f9725c64b595b4b99e97
Threat Level: Known bad
The file 533301b54cf0ef69842a4ea9592e5ca39c85d010cc98f9725c64b595b4b99e97 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 22:53
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 22:53
Reported
2024-06-13 22:55
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\533301b54cf0ef69842a4ea9592e5ca39c85d010cc98f9725c64b595b4b99e97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\533301b54cf0ef69842a4ea9592e5ca39c85d010cc98f9725c64b595b4b99e97.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\533301b54cf0ef69842a4ea9592e5ca39c85d010cc98f9725c64b595b4b99e97.exe
"C:\Users\Admin\AppData\Local\Temp\533301b54cf0ef69842a4ea9592e5ca39c85d010cc98f9725c64b595b4b99e97.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2008-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7f12fea9662ad20304339ce253efec40 |
| SHA1 | ce39320091985adf77329b7490df35cb988cfa5e |
| SHA256 | 74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67 |
| SHA512 | a521d513045e382fb642c4ed6066af8e6dc8f8e3c9b13cb2d71a5eb1347d150a54737457bd4f7942b219ad8bb110e1ae0cd80f5035b958e68a558c8d1ac93342 |
memory/2008-8-0x00000000001B0000-0x00000000001DA000-memory.dmp
memory/2008-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1184-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1184-13-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 28e9c6563a993b8f0776f3625999bee9 |
| SHA1 | 9b9a30edf58493c310713fa9622db39adb40e130 |
| SHA256 | 527b7944f14bcb207ffa13f768badc333263da51cdcd73195b32352338d539ee |
| SHA512 | 452d6f1ae8425c518141f25f60e3f6c3c1872ba18e9b970be42b3c054668bc53924db4c9f3655e2a65e6e0d14443dc56b19eea5705699da4441119605be47c59 |
memory/1184-16-0x0000000000380000-0x00000000003AA000-memory.dmp
memory/1556-25-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1184-22-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 99c97cb7ce1c5c720fb89b5578fa3705 |
| SHA1 | 3e4d73d8407ebe3000a41fbf8e6f35d6d4e64a8f |
| SHA256 | 45110292e3ef1962e8dc2848cb047fccb4406be406c514123f810e57c2b38dd8 |
| SHA512 | a3c3b4a2462ce0c4464d10aab26b762063a419ee89d1d5947817a07666cc340ce7e61f2744ca48fdd4081124235ce434596c17df8bbfb7666735b44621fb8c87 |
memory/344-35-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1556-33-0x0000000000400000-0x000000000042A000-memory.dmp
memory/344-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 22:53
Reported
2024-06-13 22:55
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\533301b54cf0ef69842a4ea9592e5ca39c85d010cc98f9725c64b595b4b99e97.exe
"C:\Users\Admin\AppData\Local\Temp\533301b54cf0ef69842a4ea9592e5ca39c85d010cc98f9725c64b595b4b99e97.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/1344-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7f12fea9662ad20304339ce253efec40 |
| SHA1 | ce39320091985adf77329b7490df35cb988cfa5e |
| SHA256 | 74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67 |
| SHA512 | a521d513045e382fb642c4ed6066af8e6dc8f8e3c9b13cb2d71a5eb1347d150a54737457bd4f7942b219ad8bb110e1ae0cd80f5035b958e68a558c8d1ac93342 |
memory/1344-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3984-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3984-7-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3984-11-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 244ab902d28cf1fe791ecc2f09f6bf47 |
| SHA1 | 85518d1cc1e9b7ec3a9efd05aa84ebfa70261a62 |
| SHA256 | 044d64909863c0b093d3d3f6d81348063876dd59a3dae07ff7c54798100c70f1 |
| SHA512 | a134afab9dbdfe1ab38d677922451d9346a8aaecd676dcf188c6277acc4c59fb1abdd7ec64657350a953170634438906e98f8176a2cad289ff6290c976e4cccc |
memory/2220-13-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 85566047a225d259b862f2bb86f1601b |
| SHA1 | e00f458aac98330086a47e8c71f6eaecaa88e3ae |
| SHA256 | f96f84d397cb1bdd509e5fd3677b5a26d8e74df7daf413fce32fa3f98fee06b7 |
| SHA512 | 31e17a4c7a2e93c1a41c2ecac9e90d46708af73d002addd9bea1520daac11a243ed693e08f9b8abd09449af8eca7ea0108a110682633282e188decdadf177fb0 |
memory/4012-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2220-16-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4012-20-0x0000000000400000-0x000000000042A000-memory.dmp