Analysis Overview
SHA256
a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d
Threat Level: Known bad
The file a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:51
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:51
Reported
2024-06-21 01:54
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe
"C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2236-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | eb1594b3d0c7f76d46121377d070ec22 |
| SHA1 | c8390571254d431b0fd9ce66bc66ca946a36f8dd |
| SHA256 | c3b10a9f0ab06a358aedf2b12faf1402a621728a09691b05a1b1cb268d7f6552 |
| SHA512 | 80f0382ffc489a9d8968aee0c435d31f24bd1968d2680d8bc37f89a9814de30e38a31ae925a613a6572210f3358c5c3996fd2ed8506de09e1cfb8fb5b45d96c4 |
memory/2236-4-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/1724-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2236-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1724-13-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | a795a9bffb4223060a28e35ad32b5eb2 |
| SHA1 | cf8aba9ef8126ddbc47bb7cc6ba57003d09a1b91 |
| SHA256 | 95d5b069dc1779f9e1630ad8a7b9da03d1eb24204ed3894f4d5dcecee2c4cc6d |
| SHA512 | 274a959c451f0913f45f13f815cbd06667c2607c05f40ffd343803bd2db9432f831cc968dfa7b1e437c9043b30768a58449d57a0ac12ef655899ba74db59c028 |
memory/1724-25-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 59e5b0c6b6e48cbf791958e40e8a608a |
| SHA1 | e39d1fd6deb61c2adbbfcf919c70b5ce2b152bd6 |
| SHA256 | d23edb8ef1c1f2cd89079d88338570759a13c075f13fffb77e5ee07016fe84fa |
| SHA512 | 6f8bf2313deee43011946b6bf2c8dcf54641009d0cb53d6000504ac3295b963c66ef02ea3bfa98b6dc72876e154c681ce63395971107c6dc7301cbea105420ae |
memory/316-36-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2924-28-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1724-19-0x0000000000320000-0x000000000034B000-memory.dmp
memory/316-38-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:51
Reported
2024-06-21 01:54
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe
"C:\Users\Admin\AppData\Local\Temp\a4c334a1ea001a8ac50e673f0075817e061e2a894be2f8bd9e7b064c485baf7d.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4600-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | eb1594b3d0c7f76d46121377d070ec22 |
| SHA1 | c8390571254d431b0fd9ce66bc66ca946a36f8dd |
| SHA256 | c3b10a9f0ab06a358aedf2b12faf1402a621728a09691b05a1b1cb268d7f6552 |
| SHA512 | 80f0382ffc489a9d8968aee0c435d31f24bd1968d2680d8bc37f89a9814de30e38a31ae925a613a6572210f3358c5c3996fd2ed8506de09e1cfb8fb5b45d96c4 |
memory/4600-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4964-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4964-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | c6896133af4e5ccdf29265134de80047 |
| SHA1 | bb91f912387442b6df35ccffbd3b013cc1189aca |
| SHA256 | ec8db7f6d7fcdc88d28ad09c088850853ff6f6d812b83f94af0d2c50808798de |
| SHA512 | b3043a7a830d7db9bddd430a6e32cf9af95a31075d7819fbedbd6a422242d5ce7ad4d4b13323f27d0cbf3658a69d1476352c9db5a2800ff02b9603e54a1cd161 |
memory/4964-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3008-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 080351041fed2c4b2bfec7c5e8447003 |
| SHA1 | 7085829d17053a3aa488f17f0e4a5c94fe4aa28f |
| SHA256 | 1bd82c90d0ec636dc89e1acf8b56082ba0eca2c57351ed4b599c7af9845e5f46 |
| SHA512 | 236450b2dd1aa6478d237c5ba3f144b353e6c5ee822fb1160a209fafbe32589d10fc8e8c207774698704485f6e0b9f1c737e82b785bcb03d3389ecdc1fe52a41 |
memory/3008-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3552-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3552-20-0x0000000000400000-0x000000000042B000-memory.dmp