Analysis Overview
SHA256
a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52
Threat Level: Known bad
The file a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:09
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:09
Reported
2024-06-14 02:12
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe
"C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 90bb1f258cd7a6be665ee434224380ae |
| SHA1 | 4b3726e735b1cae54b66cc4ae8b1101288a2a85f |
| SHA256 | 2969d19775eaaa6336243da9dc6aa8758cf7ff0fa9b31d0d677473a033909666 |
| SHA512 | d14503b5f2ad6ed2b08ab00171104a0bd635d4998d7290ab0746d7138a014b587409f8bda96a720e303f3fb497372bfa73298be579a972c183dbea5309a753c6 |
\Windows\SysWOW64\omsecor.exe
| MD5 | cc05888f40ddf4875174487c7f267d8e |
| SHA1 | e99e90003a4b41b5a3b236643f187c05d7385193 |
| SHA256 | c91e383b778af0e50ce0d5558c4a7adc5b3e5c018483150698b80131249c552d |
| SHA512 | 3d7f0ef3c72163af2c857ccc8fcb3a47aa0e164c01aba4da9aa7e8759e0be3dc604bc022ef24e699a7e806f86bd0d8c392bbf1ff81367ab7eb9b73c479e0f5d2 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c5e91e3c8cd1ac6e64ef371c1da92a40 |
| SHA1 | 6e566ff5cd8b2630b464a41fac968e9a1f90a324 |
| SHA256 | fc6a0ef188b003a801be3cd07dd9e2f0be3011805520ad4981c8f7f80cdc56a7 |
| SHA512 | 7a2d2734ce8a102a5439f7b0f901e75797cc412d933920b3eb8cbc27a0119bc62e45a2ed2e3e019904058bc0d9031539b667f3b8cd3298b4c1069e8fac1efb8b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:09
Reported
2024-06-14 02:12
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe
"C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 90bb1f258cd7a6be665ee434224380ae |
| SHA1 | 4b3726e735b1cae54b66cc4ae8b1101288a2a85f |
| SHA256 | 2969d19775eaaa6336243da9dc6aa8758cf7ff0fa9b31d0d677473a033909666 |
| SHA512 | d14503b5f2ad6ed2b08ab00171104a0bd635d4998d7290ab0746d7138a014b587409f8bda96a720e303f3fb497372bfa73298be579a972c183dbea5309a753c6 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b3cf6fd6e159ae43077c05594f5beba2 |
| SHA1 | 73c5d5563e5d7c62287c51d0a67cc5f92e6dfcb7 |
| SHA256 | 2d23554e9b757f142774fa738fc03917622deed8cbf9d49622f1ddb65991869e |
| SHA512 | 2e16e41be3abbe9d84deb7df0b0fcc3ce0dd1e82c38f607ff078593d1ba1a97d494008cce5704e05abec609f5ec0e67315314568b180d67db25e9e41b79ada0a |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c1dbeda86d44b12fc1199d439103dd8e |
| SHA1 | 4b9ae524a7c1aa7f11c0fc63fe3144bc82e2d410 |
| SHA256 | c3864f56d29e09519af53f2e2b3144fca851f2f266847c8e8099098b76267e1c |
| SHA512 | 13c28b939a2416aa798a80f2aa49e987cf5a7194908b06e839c804cb9f4554a307e81bf04b860664f7295c42ab07c31e0592144a7555fb445d9e2edc96f04def |