Analysis Overview
SHA256
3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6
Threat Level: Known bad
The file 3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-19 20:46
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 20:46
Reported
2024-06-19 20:49
Platform
win7-20231129-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe
"C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/944-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/944-9-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 94649c28606d6e3aa3622bc1db94a390 |
| SHA1 | ee4545baf07a4b156bbb4bc96db63da5efe75238 |
| SHA256 | 30c57dbb22b534f0104ac3fe63e0ebfb8cd831857e092a8dae2e2afdb1b0832c |
| SHA512 | 57b3d996118ddc487d26429120bd127d45132e8b8b39a687efeebdb6ef20639a3f58286ba1924e5671f605a7d8a38669f33469e8360a9f11fc8f13575ba2ed9f |
memory/1680-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1680-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1680-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1680-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1680-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 55fd133b77f1469b3debedbaaf87aa48 |
| SHA1 | f0a1e94bbe973e58bd43cee6a7fa3255c4d734e2 |
| SHA256 | a461f0e28f19c9de0e8ed11ee563c1fc43270214028f21ba3b43590b9a5f3463 |
| SHA512 | a1c77d2ce6c85e5728a8dffe3e9b1d65e0bcdbf24202ccb88475cbf451ab1789554c65c953b9004b406dfd6cf60fb17d1b2d80bda408519efdb3f4c320a00207 |
memory/1680-25-0x0000000000340000-0x000000000036D000-memory.dmp
memory/1680-32-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2796-35-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1680-34-0x0000000000340000-0x000000000036D000-memory.dmp
memory/2796-36-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2796-39-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 20:46
Reported
2024-06-19 20:49
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe
"C:\Users\Admin\AppData\Local\Temp\3c014cc9f2646064bf7c9b5fbcad16528a9fe9c532179a6468ce1f2946b6acd6.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/3152-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 94649c28606d6e3aa3622bc1db94a390 |
| SHA1 | ee4545baf07a4b156bbb4bc96db63da5efe75238 |
| SHA256 | 30c57dbb22b534f0104ac3fe63e0ebfb8cd831857e092a8dae2e2afdb1b0832c |
| SHA512 | 57b3d996118ddc487d26429120bd127d45132e8b8b39a687efeebdb6ef20639a3f58286ba1924e5671f605a7d8a38669f33469e8360a9f11fc8f13575ba2ed9f |
memory/3152-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3500-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3500-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3500-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3500-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3500-14-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d7653d7bb5e1abd7aba673a794937c1b |
| SHA1 | afd32ce7f5c9bcfbf930dce718a086577ecc7ecd |
| SHA256 | b8e8f5be837fb6f87337fa0b1fa8d657645963d54d055e10862549d5ca18b01b |
| SHA512 | 2298b3151ba6dc87e2a48fc7c3f53760306ab5c6169d9fa59db58243915b7d2f5b71aaa7a0eeca3b973b8e7aebfc715aa4415d01bec649b7a97c4e550b6ae7e5 |
memory/3500-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2416-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2416-26-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3cdd4dc8fd15885fe545e8acf7c016ac |
| SHA1 | 9071e6d15ba0fb2e132daf9064afbc7b067bb8b8 |
| SHA256 | 2ac90bc6530dbdcf025b5bd08bb9d9a29bffef98463dc7fcc19189c4510d67a3 |
| SHA512 | 443013daec362fccecd5d00f66381aeba8a8a44e5f1bc5e1202b1dd7e3ce6e79293a6fe032d1e8fcf7b2c08ed18c5e2e481f741cbe8533333eb7c912d149cd89 |
memory/452-27-0x0000000000400000-0x000000000042D000-memory.dmp
memory/452-29-0x0000000000400000-0x000000000042D000-memory.dmp
memory/452-32-0x0000000000400000-0x000000000042D000-memory.dmp