Analysis Overview
SHA256
8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f
Threat Level: Known bad
The file 8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-18 23:34
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 23:34
Reported
2024-06-18 23:37
Platform
win7-20231129-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe
"C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3c0f6ac170f181a6f2a273afa3fb28c9 |
| SHA1 | 6756f9e80c0b35e173ef3aac7413df170b44cc62 |
| SHA256 | 3c636919d59f2943abe179469b4b737a0dd90aafc5cf27ccc28db65ebcde13ad |
| SHA512 | 6664cd634204e3d83468c2479a19b85001d8c35f4ad266bad9c548781822edb786674f5667e61928bbdb4dff417aca7f89462a2f27c56fe967f42be698171295 |
\Windows\SysWOW64\omsecor.exe
| MD5 | e5b518f8506b5b2c6499d77d40ec2c62 |
| SHA1 | 0be652b8736333ad2c44f4dcb6d4d7d6e04c2148 |
| SHA256 | 6cb20584045c39ece3f956dc6401648b437c56c1cf67effb318dae8edc9f1950 |
| SHA512 | 38b14abe718eef6c12a898513e889eb2a14e7e6cb9de0eec7283785492a696f17c16d9eb65f4f560712978c7cd5fefd2230a400481551584834fa26db2013393 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cc2ffd653b670d90987999ab6de650db |
| SHA1 | 6da6dd65b9fdfb75e5c5e31bde726562e0ab0872 |
| SHA256 | ef514c5b8e3c545607522a28eaa336718f58e14d2d08197c9874b4a104f4f4ba |
| SHA512 | 9e2d340464a37b48fb23d3a28478198e7f81d0889c036b04806d747e49fba3ee47befbeaf6286096a393731f65922785a6fc9ebb040da3811e4ac9b91e129cfd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 23:34
Reported
2024-06-18 23:37
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4192 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4192 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4192 wrote to memory of 4188 | N/A | C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4188 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4188 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4188 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe
"C:\Users\Admin\AppData\Local\Temp\8635dcf63868ef085cd472bf0540bd295d20fe65675467ada71e4488dbe9c59f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3c0f6ac170f181a6f2a273afa3fb28c9 |
| SHA1 | 6756f9e80c0b35e173ef3aac7413df170b44cc62 |
| SHA256 | 3c636919d59f2943abe179469b4b737a0dd90aafc5cf27ccc28db65ebcde13ad |
| SHA512 | 6664cd634204e3d83468c2479a19b85001d8c35f4ad266bad9c548781822edb786674f5667e61928bbdb4dff417aca7f89462a2f27c56fe967f42be698171295 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 2b72591831f567638b4d1f14939d811e |
| SHA1 | 49d7eb487a6c7a41440b6a9cf2983102e7a67d57 |
| SHA256 | f2a552a482d75e27798eccea59943a21f37c8ca1bfd11defaf9d6c8f19142ae4 |
| SHA512 | 96d9a14a1246768305457fea66f4b3d1fb84cb67491b21363f02eaabb02092543e6c92133995659ca79475aee5ae9c6cddd98e64c69ccbf111a4b4feb473c405 |