Analysis Overview
SHA256
aa47612960ba3709e0694d26810dab5beb3df7bcb2a0007ec2c1eafe5454d56a
Threat Level: Known bad
The file aa47612960ba3709e0694d26810dab5beb3df7bcb2a0007ec2c1eafe5454d56a was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 02:07
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 02:07
Reported
2024-06-21 02:09
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa47612960ba3709e0694d26810dab5beb3df7bcb2a0007ec2c1eafe5454d56a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa47612960ba3709e0694d26810dab5beb3df7bcb2a0007ec2c1eafe5454d56a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa47612960ba3709e0694d26810dab5beb3df7bcb2a0007ec2c1eafe5454d56a.exe
"C:\Users\Admin\AppData\Local\Temp\aa47612960ba3709e0694d26810dab5beb3df7bcb2a0007ec2c1eafe5454d56a.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 048a61ebf337883ade9242606a93746f |
| SHA1 | ab71eeced3045e5bef065f2e3c293071738414d9 |
| SHA256 | 69eebc98ecbe8c656923eb8af8dcca8e73a882398f068d43e6a3013c7631b40b |
| SHA512 | dd1cef4ec4b77df2d5df8688d4ea3403266cba05eaa3ba8e44c77df87eb00d112992c86253982f8a7b73a110291dd4b635b7e7aca26859d5cb4bcae96eeb6586 |
\Windows\SysWOW64\omsecor.exe
| MD5 | fcd4d04d3aed2c64a98c7ebbe04da9b9 |
| SHA1 | bccee88e26c8b2cdfef7e533fd9932f93323f874 |
| SHA256 | 62d3f880f1121a10aa5dab92c56a7082bed247ef977160b949c5524dbf2b9c5e |
| SHA512 | 9044287fc3e15a27caa7cb95acbbf5f34a6a0ff0c8f0d93a8c4fdd5513c54dd72bbaf22155c8316d70c4b58b7024c627452c9ef0960167960aa910cf01d0442f |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8efad5a7cce45ad1d2b9315ef2528dc9 |
| SHA1 | 538da7281d56a8135b1514cd18bf82a45e57f863 |
| SHA256 | bae39042cabefb6687f8d6227a43f5349e71c98edb0a56b5c57d483cf68c86c3 |
| SHA512 | db94276200e136d9d609fa3c5b283df51be20329296c15fd7f57571be5bbf5421dd99320065c3819c9fd8bfbaa56a54b69a1a96c27218dbaed7c74bfa72c8fc8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 02:07
Reported
2024-06-21 02:09
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa47612960ba3709e0694d26810dab5beb3df7bcb2a0007ec2c1eafe5454d56a.exe
"C:\Users\Admin\AppData\Local\Temp\aa47612960ba3709e0694d26810dab5beb3df7bcb2a0007ec2c1eafe5454d56a.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 048a61ebf337883ade9242606a93746f |
| SHA1 | ab71eeced3045e5bef065f2e3c293071738414d9 |
| SHA256 | 69eebc98ecbe8c656923eb8af8dcca8e73a882398f068d43e6a3013c7631b40b |
| SHA512 | dd1cef4ec4b77df2d5df8688d4ea3403266cba05eaa3ba8e44c77df87eb00d112992c86253982f8a7b73a110291dd4b635b7e7aca26859d5cb4bcae96eeb6586 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 19a3c2c1198a8151a357e89dfefbe736 |
| SHA1 | f29d0da5b9bbbb43b01a3bb3a1aceb35dbaed171 |
| SHA256 | 4acf43eeadcd9d4bb34d99bd2b8586d5fadc9c29393c15c127565ae8c32cfaf0 |
| SHA512 | 7d3a8fce9982ca76e7b5a7ec47f3f4165d8c0fd8c2eb5b8636ab829ec73055c29c1c318256a00d13a00fb7b85d4695e0f1138470f044046330ae568b32a4ff01 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 294d34a13287a55fbb6d350d2d919aae |
| SHA1 | 5b326e50ea58d87f8485e525249296efbfe6e992 |
| SHA256 | d44c819e91ff403c5accaca8c04bdbc92eba8053a52d4f1f71480b599482c87a |
| SHA512 | a416462354cc792bd922db055e4423145ddd25279bc9afc858d92a235a791673e872240c88324086a5e57988f1633165dcb8a089c61e015386e302524cdb38f1 |