Analysis Overview
SHA256
060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73
Threat Level: Known bad
The file 060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 19:50
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 19:50
Reported
2024-06-14 19:53
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe
"C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2416-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2416-4-0x0000000000430000-0x000000000045B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0b1dc4807a2382706d600df9e76d0c84 |
| SHA1 | b3b59340ed7c305e771e39679899bdb331d9271c |
| SHA256 | e9e39e59b400a27f56c528dc55421662ca70abdb220837bdcb8eee3d9d5693f8 |
| SHA512 | aad3ba27f742e04aeaf1fb1d06fd187b2497ffcb9b21f96edf2b5b05b8a4c62f71785eb36063a0e94e267cee4d65aa074b0bc7afbd6459431c8a2ed8d0ffeabb |
memory/2416-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2112-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 66f45953502ca613ce14a1bbc6391ee2 |
| SHA1 | 43cac0fba1050323b9cbc2fe70c31713530b158d |
| SHA256 | c746ecf390cf46a2b497406782f681b301de365bb210cc6c15dc5c42e67f44ac |
| SHA512 | 1f5bd678035a2f90a109788a5bee21bcda2f8f8c5c27fdf53c3fa744bf18a6e0d8ae068d9e087a2acb9d0b1338079c4b215b4bc3c9d9567a38ba81ce90528783 |
memory/2112-15-0x00000000003A0000-0x00000000003CB000-memory.dmp
memory/956-25-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2112-21-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1848-34-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bd14714e92f23f4277e10af9ef19a071 |
| SHA1 | 7de4512bfa4ab4fd905f01212c74d4f62d279c69 |
| SHA256 | b06c114c7fb44ed0e4c57dfbcf088a0d336a5c26bf3d4f1501ab0c59c556903b |
| SHA512 | 799b08edc7e56451fcf0080715afc8dac68a15890ecec53b2e444e9be2123c9fa15eaab9da20c7fc2b2a4b3a5f37d1eb355f0de10342575e65d840b3de20bf49 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 19:50
Reported
2024-06-14 19:53
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe
"C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/3564-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0b1dc4807a2382706d600df9e76d0c84 |
| SHA1 | b3b59340ed7c305e771e39679899bdb331d9271c |
| SHA256 | e9e39e59b400a27f56c528dc55421662ca70abdb220837bdcb8eee3d9d5693f8 |
| SHA512 | aad3ba27f742e04aeaf1fb1d06fd187b2497ffcb9b21f96edf2b5b05b8a4c62f71785eb36063a0e94e267cee4d65aa074b0bc7afbd6459431c8a2ed8d0ffeabb |
memory/3564-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3424-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3424-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 027572451241247e216f7df8cd25ae8d |
| SHA1 | 88128f6106da6a1b086f9de6bca20f5ed094d414 |
| SHA256 | 38a7529f1c9bc1af389a30355b0b4bb35e4842c04f045d8121ef4738c41b4aaf |
| SHA512 | e2f98ccf1eda20297121c5ac2fe896aef964dbb10c74e41fdd6b5654c17e1785207e7ae7f9a2b34d125ed85778692287aa7b0f26a6cf7be38760b0d47999b2b6 |
memory/2140-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3424-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2140-17-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 806b741174450178317e9af41ffafd6c |
| SHA1 | 5d9f9c8e765efa9a6276c37aea4453ae03abc363 |
| SHA256 | 52723ce1120da65548dbe12e77fece75a4997c7d72ec3337e7b318af4739c57b |
| SHA512 | 63f3f8d122a92660cfdd72a46604f9a83723b8f42c8a5e95a947318b809162f8837cc0a207e52508ab254f0ecb930a6d49c2b9d30c128e19f06a88c51e582d28 |
memory/1012-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1012-20-0x0000000000400000-0x000000000042B000-memory.dmp