Analysis Overview
SHA256
418395da622c4f81f93db174b004a19d105e4d6fd67d5436642f8162a295665a
Threat Level: Known bad
The file omsecor.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-19 04:23
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 04:23
Reported
2024-06-19 04:26
Platform
win7-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\omsecor.exe
"C:\Users\Admin\AppData\Local\Temp\omsecor.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2436-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dc13457d804f890e5c82e4d38d631eb4 |
| SHA1 | 8a34b705c4046b0abf1eff3ad66612ab486b72eb |
| SHA256 | 0eecbe9eafb6dbee1ab6b7329720286ab4ce23feb4ca35f81b5c236f08402a7e |
| SHA512 | 9c829b8e1e8b35261fa417687e398a0f00131bb1f04ea88c6e25363dae68fca58a5bcf7ebc0499df89f119188e95dceaaf28a48fab965fea81cb30b75f69c0dd |
memory/2436-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2420-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2420-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2420-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2420-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2420-20-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d21569ff2faba8f898aa2b3d7c3d4b1d |
| SHA1 | 7addbe21f0136356be6f57b0c01f5855c8ee9014 |
| SHA256 | fad9e9817cb96036d95875229d4e2d3d0c0cc0effccb401d8abf9ffa80fd8b23 |
| SHA512 | aa9d27bfe769f1c991f82651a55d6f43e0964324ea270008d52a45e4afad0e92ae1f26714d94eab0ed87d97ccb8f5de8a2254daa2cf639e5c1c73ea992494418 |
memory/2420-30-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2564-32-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 11d289bf588c5251b1936fe75bc693dd |
| SHA1 | 17320381bd562a37c24139a617d23a552be7e317 |
| SHA256 | 77703a2154340c97b29d5bc3f7da38308525343d94a0ecb1fc095211f23ea5f0 |
| SHA512 | e98acc301b2535da02682d96eb6886eaf2c7a7d41ce0028a1b31beb13ce5097092b492361e06519909aea839e74a65a34a7e2bbd6fa698c4da4f75704d8fd242 |
memory/2692-44-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2564-42-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2692-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2692-48-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2692-50-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 04:23
Reported
2024-06-19 04:26
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\omsecor.exe
"C:\Users\Admin\AppData\Local\Temp\omsecor.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/1640-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dc13457d804f890e5c82e4d38d631eb4 |
| SHA1 | 8a34b705c4046b0abf1eff3ad66612ab486b72eb |
| SHA256 | 0eecbe9eafb6dbee1ab6b7329720286ab4ce23feb4ca35f81b5c236f08402a7e |
| SHA512 | 9c829b8e1e8b35261fa417687e398a0f00131bb1f04ea88c6e25363dae68fca58a5bcf7ebc0499df89f119188e95dceaaf28a48fab965fea81cb30b75f69c0dd |
memory/1220-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1640-4-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1220-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1220-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1220-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1220-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1220-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4876-20-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a6a102951bb55899bf02b16018894830 |
| SHA1 | f2e3d36e17d27759dfb919e6eb9e66fde0aab3c6 |
| SHA256 | 3c43ec56decb44898664a8c2ef2574ebe5167d7295dc3180a36d6f00ecab5344 |
| SHA512 | 2dae477d46e1e46f44e8823ec35b5e0ab52c7ed6e07167cecadef06def9348e686465ec71da4197c5422eabaa5668dd23ca0b482e5007ec6571d813e6d6b9f0f |
memory/4876-26-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7810e695d5e09475495724445e478792 |
| SHA1 | 02e15f671528d000f95eca1135230ad8092e9dee |
| SHA256 | 84f822c96e0fa8f153bd01816384277d3cdbc33e726c9852ce77472889b6da11 |
| SHA512 | d7bbca609a62bc0dcc6fb56a3fd9c4a85998b59a9ea429e30e621b6c8de730549d47cdbddb1f75b48e1bed79d1a91888ea2612b01ba3667a0985529469f5a88a |
memory/1632-27-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1632-29-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1632-32-0x0000000000400000-0x000000000042D000-memory.dmp