Analysis Overview
SHA256
e495e864688c9a35c5474e0655a0ec7a27dd6f18d1948efade13d2fd11d05897
Threat Level: Known bad
The file e495e864688c9a35c5474e0655a0ec7a27dd6f18d1948efade13d2fd11d05897 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-15 03:13
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 03:13
Reported
2024-06-15 03:16
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e495e864688c9a35c5474e0655a0ec7a27dd6f18d1948efade13d2fd11d05897.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e495e864688c9a35c5474e0655a0ec7a27dd6f18d1948efade13d2fd11d05897.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e495e864688c9a35c5474e0655a0ec7a27dd6f18d1948efade13d2fd11d05897.exe
"C:\Users\Admin\AppData\Local\Temp\e495e864688c9a35c5474e0655a0ec7a27dd6f18d1948efade13d2fd11d05897.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 30690f3a5433e5c1c9632ce557d4aed4 |
| SHA1 | 73120f55b9397ae443e068750adf502e9ea222ab |
| SHA256 | 0d6755a0b55b91ee54a352ee24f57247c0077872a8b16a83276f9698278d2a99 |
| SHA512 | 557e1db54af5b925a29f27dc8d7277098a4d753c58cc3496b01858287a22d4e7706dcaf14e1e5915b92001651ea6b3bc5a36049331c4e58ca304d02133038d1a |
\Windows\SysWOW64\omsecor.exe
| MD5 | 96295238b68f389aa1d4d7a81c922fb5 |
| SHA1 | 95c97c3091b5a00fb7593b65255eebbd8b79cc3d |
| SHA256 | 2ecc2699a778857b43caac1ce2126e388d539940878ca4444fb7a671a00eea34 |
| SHA512 | fe9433a69e3666a0b5ad10c211b0d83708981a519dfbc296f2d61d9765298e5aa10027ae709abae5c706c8dac189b53a8c3c45fcb064cbbfa7e9b3bb48b64206 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0afb1fc49b6b165bb71fa9e45acb3936 |
| SHA1 | 35f39c307cba85964847a053ff48a0b767439315 |
| SHA256 | 17bf906e51d1428349b3e2954a6aecb50265a4042d6553db7f17703adf264340 |
| SHA512 | b939a1085dedae6f328140c3e6b9dc73db4f229f8ec8c2b29222c7ff704f3893bdfbca9e89a232af6f6ce33ff19356139bbb65a43847e10182a295387315332b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 03:13
Reported
2024-06-15 03:16
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e495e864688c9a35c5474e0655a0ec7a27dd6f18d1948efade13d2fd11d05897.exe
"C:\Users\Admin\AppData\Local\Temp\e495e864688c9a35c5474e0655a0ec7a27dd6f18d1948efade13d2fd11d05897.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 30690f3a5433e5c1c9632ce557d4aed4 |
| SHA1 | 73120f55b9397ae443e068750adf502e9ea222ab |
| SHA256 | 0d6755a0b55b91ee54a352ee24f57247c0077872a8b16a83276f9698278d2a99 |
| SHA512 | 557e1db54af5b925a29f27dc8d7277098a4d753c58cc3496b01858287a22d4e7706dcaf14e1e5915b92001651ea6b3bc5a36049331c4e58ca304d02133038d1a |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | df89aa73212ac808ea8ac50178b304db |
| SHA1 | 1fea19cfb274ebca09816740f28cbb10a14199ef |
| SHA256 | 7a7a086725815e5bec40dee6a852db982bfcb5a977e769ef4321fa30966ff9aa |
| SHA512 | 16501bb4393b9f16a6357db17506490ce1a64aa65ae93f2e3bdae63030e1390e14b7e17a31d986040f26cf63871ac19dcaa3b140c11b570d69f5430d17b5c823 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dc6ecf9da09f8df26596071e01e6aed0 |
| SHA1 | 7aa480e44c762364b6661b3c031f340f23986a23 |
| SHA256 | ba7460ecf80ad7850cf5eb462abce13c8ff553e8a5000522bbea4375de869fd2 |
| SHA512 | c7e486c4b21a2c63486c49099bb6acca43de9e38471928cbcf5ae97325da9d6354178891b7a51eda7e0b2843e3c97cda26b7c60a4d7c5059c6addf90d32514f0 |