Analysis Overview
SHA256
4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418
Threat Level: Known bad
The file 4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-20 21:59
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 21:59
Reported
2024-06-20 22:02
Platform
win7-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
"C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/1612-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1612-8-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a2864cedce63bbee3b3e9e92db69953d |
| SHA1 | 74b64a87b2d73fa162009fc4554b612dcce8dedb |
| SHA256 | 77e72fb7e9b511e876ace38a895819cde78433bfe62423fcc6ad7c978eaa2397 |
| SHA512 | 4a519bf03f4a6c2a10b17cf2a5810270bb94b95f0863b043c69e49042e5e9461b22af2efa2ff56d90c6deaf6841103877c0f161cd8f0cb5f3eb13b4e7b9bf40f |
memory/1952-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1952-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 7742accb4580cd86d04ff2b8211c9a40 |
| SHA1 | 552c99239e1159e530984a7a3cb7a17571bc2e1e |
| SHA256 | 74aab2dbe9bb98f8de870ec49e6a7ed781eb5dc9579bd5b0dc2765c9bc0cc343 |
| SHA512 | cc6a04574131619dfffa6353e58bef8332b7288634ad15716faf601e691babc8f0b6f8171de5fddcac6aaf3967b826b882a8a4774ea94bc045fc1d70bbbe9422 |
memory/1952-15-0x0000000000350000-0x000000000037B000-memory.dmp
memory/380-28-0x0000000001B70000-0x0000000001B9B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8bdfc2035d356787c4000441dc47922a |
| SHA1 | 8d54254516040bb582972ff2cf8296e3b886c8a6 |
| SHA256 | 01763effe2625ed2ac06056474d1e79297e8c99bde006e4cb906248291d71663 |
| SHA512 | cd26c06c5cb6c475e6cee0b009083e314e72fee661788cea6c44aed9b7ec83909b3c2d02fcf49d7618b6cdd946b6652c7b4e085c4d75fa2415327ff2bc548275 |
memory/380-25-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1952-21-0x0000000000400000-0x000000000042B000-memory.dmp
memory/620-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/620-36-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 21:59
Reported
2024-06-20 22:02
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3964 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3964 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3964 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2876 wrote to memory of 804 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2876 wrote to memory of 804 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2876 wrote to memory of 804 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe
"C:\Users\Admin\AppData\Local\Temp\4f0bbbb25ad1dc81b80719b0f0b83672fe398bffad82b06f1b118d21a3441418.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/3964-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a2864cedce63bbee3b3e9e92db69953d |
| SHA1 | 74b64a87b2d73fa162009fc4554b612dcce8dedb |
| SHA256 | 77e72fb7e9b511e876ace38a895819cde78433bfe62423fcc6ad7c978eaa2397 |
| SHA512 | 4a519bf03f4a6c2a10b17cf2a5810270bb94b95f0863b043c69e49042e5e9461b22af2efa2ff56d90c6deaf6841103877c0f161cd8f0cb5f3eb13b4e7b9bf40f |
memory/3964-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2876-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2876-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 63facc42e359ec34e3e9d28fe7615494 |
| SHA1 | 0c7d112dfb6298e63a56315bc36dc8ec215df326 |
| SHA256 | be6afe4e202bd0bfa10e0b725d9118144e8045771218561b571b2da8da52735f |
| SHA512 | 100f0f19be4fb94bb4ac799349c760ef63adcf5a3ce241050099c015c64e513938081917afcf263e145487e33e28f65e746a507a4a79dd8982fdab328a5fc4d5 |
memory/2876-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/804-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/804-14-0x0000000000400000-0x000000000042B000-memory.dmp