Analysis Overview
SHA256
c0ce515c1ec49d7f7a840404e15f45c5ea39281a6b9acdd37f710c756a500125
Threat Level: Known bad
The file c0ce515c1ec49d7f7a840404e15f45c5ea39281a6b9acdd37f710c756a500125 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 03:37
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 03:37
Reported
2024-06-14 03:39
Platform
win7-20240221-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0ce515c1ec49d7f7a840404e15f45c5ea39281a6b9acdd37f710c756a500125.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c0ce515c1ec49d7f7a840404e15f45c5ea39281a6b9acdd37f710c756a500125.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c0ce515c1ec49d7f7a840404e15f45c5ea39281a6b9acdd37f710c756a500125.exe
"C:\Users\Admin\AppData\Local\Temp\c0ce515c1ec49d7f7a840404e15f45c5ea39281a6b9acdd37f710c756a500125.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2156-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2156-9-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5ef3735b67edc4baf4004a128cea46e7 |
| SHA1 | 63e6adc6613f9131844f43fc4620dd89ec09f55a |
| SHA256 | 1ef5cc59bfed4825bb9fc7012f0497acb4dc8a97cf53fb2fb0be3e5fb82ba757 |
| SHA512 | 3ccfffb03893922e93a1cbde946150779c15a9456da52502c655d2e78901173d202866309788b1a999ca107a6c0185f745b4a704d17a261fb33fec68069c304d |
memory/2156-4-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2604-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | e18e6002c2648bb7efe469451c5ba957 |
| SHA1 | ac244a940b6ae125e0b87a8c17361fa8c0329f40 |
| SHA256 | 23882a8d103ea56e75320984cf4dc687ae566b1093b49db6e6ca2044038c4e04 |
| SHA512 | 0b5638543d4384c72f0fbe1c5989f7efabda36676cb8e37dcb4b98b5999c7f2c6b111b1894ca91aaf2d52a4dd0c7360d38404b4809e462ffef89bb3fda3345ee |
memory/2604-17-0x0000000000280000-0x00000000002AB000-memory.dmp
memory/2604-23-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1908-27-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 85e7e219093053c804149d1dd8f75bb9 |
| SHA1 | 151e6240371180777ab5ca2730c7e9932bede831 |
| SHA256 | d76b72f5c7bcc09a1f060e863a1c781203077113517633cad9a93e7a50dcc6ec |
| SHA512 | 890c5db2a9c3f2a0a1921f4ba9bc8223b7ce3b55e64fd0402202a46a48092f859066c1b4adbb27cb06ee48b2ce472555d93cedc04033c62c1d943d8fe7ca35a5 |
memory/1908-30-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2132-37-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2132-38-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 03:37
Reported
2024-06-14 03:39
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c0ce515c1ec49d7f7a840404e15f45c5ea39281a6b9acdd37f710c756a500125.exe
"C:\Users\Admin\AppData\Local\Temp\c0ce515c1ec49d7f7a840404e15f45c5ea39281a6b9acdd37f710c756a500125.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 23.53.113.159:80 | tcp | |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/1664-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5ef3735b67edc4baf4004a128cea46e7 |
| SHA1 | 63e6adc6613f9131844f43fc4620dd89ec09f55a |
| SHA256 | 1ef5cc59bfed4825bb9fc7012f0497acb4dc8a97cf53fb2fb0be3e5fb82ba757 |
| SHA512 | 3ccfffb03893922e93a1cbde946150779c15a9456da52502c655d2e78901173d202866309788b1a999ca107a6c0185f745b4a704d17a261fb33fec68069c304d |
memory/1664-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/936-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/936-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 6b598e5300e73dd180d0f637e4eae26f |
| SHA1 | 5cbb787ea451f2384605e76f3dd9b765184b671d |
| SHA256 | f2bf78263a83d658fecfcc821dfeec23816a6b0da74c887c30aebc6616681a41 |
| SHA512 | ae450161c0776288460f731623643f0bdc5912650ed09a58b4537b6530123dd618f7b405c199f8728a1c7e773004eb12aac96392ce40842f8b82712cc33b01f8 |
memory/936-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2940-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f6fd4c98a31f2f4e346826a9a8512167 |
| SHA1 | 41dce1ae0bc2f9a7b3188ea33384498ca02c50c6 |
| SHA256 | 0d4623bd24a5b9ae802973fbc202b53e567dbef8f55ddf0a05223d6fdb0ab3b1 |
| SHA512 | a938ca8408ff2859039792d4d4e2ee7ad26b6dda4e3383edec4bba345eb4b6b6576dede29f8915cbaae69a3d66ce477de8e097b4df6003ba5da5ff8ab87e0972 |
memory/1152-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2940-19-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1152-20-0x0000000000400000-0x000000000042B000-memory.dmp