Analysis Overview
SHA256
fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5
Threat Level: Known bad
The file fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5 was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-20 05:44
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 05:44
Reported
2024-06-20 05:47
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe
"C:\Users\Admin\AppData\Local\Temp\fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1328,i,6041070687820623968,3004230300437737550,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4101d3aa205da249687d826f846fe548 |
| SHA1 | e397513a129f42c9c90737377da0e0b318b018d3 |
| SHA256 | 55e7db61bde4c476eb479af8801114219b1ff6b9de00978ffedebd54635d0c7b |
| SHA512 | accb5957e745b9dc4794d387681974b109c35e6d7109e438d7cbb8a002ab1ecfb953712673c71374a9128055b0c5728bea6c8a0254dbad680c458e25ad6fd59a |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ba4961f4b3080610698071d36aa9e373 |
| SHA1 | 524b4ceacbd9d5778ca59fdf0080e971f5a7cf1d |
| SHA256 | 3d126198e4052cd5a952d40bbc55b049d66d37ac6ca7e8db18dffa1101572b56 |
| SHA512 | deb9706cda1b486a358a7dcd6069b2c4bab3e770a2a17b91c93612b86ee4174be2b044b4d76872059162950a68b4e1d69d86f2290b654aa16fab7ad909b18a59 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d8001b15349177e6e24a41503156e81d |
| SHA1 | 5a6655d712dd22a3885ce3f944c7175c8e1146ad |
| SHA256 | 8cc66035cac3e6c932818afc538a476bbc50af237e85404f90273f195814850e |
| SHA512 | 897c2f3f5145648a22957e4d316ba9cabe6f33613ed45c41c1caf8878ebdffcf69360d96bf5437345526181fdbfaf7574dbe50dac1364f4805f5519949e03969 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 05:44
Reported
2024-06-20 05:47
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe
"C:\Users\Admin\AppData\Local\Temp\fac1232e2a8e5afcb882d9f556441e5c91f316a344f4a9f760289b270a8ccec5.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4101d3aa205da249687d826f846fe548 |
| SHA1 | e397513a129f42c9c90737377da0e0b318b018d3 |
| SHA256 | 55e7db61bde4c476eb479af8801114219b1ff6b9de00978ffedebd54635d0c7b |
| SHA512 | accb5957e745b9dc4794d387681974b109c35e6d7109e438d7cbb8a002ab1ecfb953712673c71374a9128055b0c5728bea6c8a0254dbad680c458e25ad6fd59a |
\Windows\SysWOW64\omsecor.exe
| MD5 | caf505c601c3fe8982ca9e52fd4ecebf |
| SHA1 | bd6a4df4a2fb82e85a9aa601e46ee9f73c5f2332 |
| SHA256 | 019d7226ea8503616e9164e8b92e846b36f48768531bd9f89350ffcc5e590457 |
| SHA512 | 704109d65f58c5d8e6139230f5c801e10fd4bfb1de22f490663f77079844ebedfc13d823f6e219e6227cb7b2bb777dc057129c504da37181295ad9145df3f2f7 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a97e0e0ee726098f71805bbdbc5b0be1 |
| SHA1 | 563e9814c43845884380c1fb22b9afd44ea09751 |
| SHA256 | 554b3233ea3f389f3f10197cfd709d799937e6d4fcbed807e63b38543a3e70e0 |
| SHA512 | 33b307b988cd396d3a74b831cc689fa048796c920930520ce026f0133e58a19b8a194b6dd81b8a2e1fc7922867631aa41b12c5c10cf387298ecfa063f38ab213 |