Analysis Overview
SHA256
06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0
Threat Level: Known bad
The file 06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0 was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 18:25
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 18:25
Reported
2024-06-21 18:28
Platform
win7-20240611-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe
"C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2944-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 19ccaf464a091e062b03fb80d35f1c27 |
| SHA1 | 0c0e9b32f66d49e2754af7ff83f2109bd643c470 |
| SHA256 | 8906730d7858dcd68ea18026427d8934b326abfc3a5d0d8070cb18430de7a53d |
| SHA512 | 6e413b862bb7fbb1bebcebabe0dd0397185e2625ec17364c21720d12179583e4965f279c56798049aeef45367a5031b324c6122888c2b6bba21ca40610bdf96c |
memory/2944-9-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2944-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2784-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2944-8-0x0000000000220000-0x000000000024B000-memory.dmp
memory/2784-14-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 7be4cd475ec7c45b167f721bfdaa1a17 |
| SHA1 | a7e764a8edfd65809574b2cc1aec2b7f00c044cd |
| SHA256 | 032431f8729ebb7701cd1f97af441366c7c2f7000b4b92b2eb72ea8adda55399 |
| SHA512 | 9f9062bfa83fc5da25255f6f0ec6ed7ac16d6238cee9d7a8d627fa0c08a51cabf954e815dc3d0f653242b437ecb94536958dd440860ec629f26e17bbd50a3cb9 |
memory/2784-19-0x00000000004B0000-0x00000000004DB000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d51254081752e3d1b0cb209f83286409 |
| SHA1 | e2dfac25296695c910dfb53ccfe3f3b2eba34ed8 |
| SHA256 | 26b7172810d076f1c63b9689d02ba50faff080f61b22c85256d4db2c87a572ed |
| SHA512 | fe092d75310462d4afcb9722254deebb0eb39c11d880bdbf19874044d0dcc58da6dc43b30dc1a7bd94a15288a17b90f6782db25fa815088c4e6f363b2cede88d |
memory/2892-29-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2892-32-0x00000000003C0000-0x00000000003EB000-memory.dmp
memory/2784-25-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2336-38-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2336-40-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 18:25
Reported
2024-06-21 18:28
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe
"C:\Users\Admin\AppData\Local\Temp\06fb849c085af20e8ed815b454bb051212215479347f373a99175f0631c7c4d0.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/1724-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 19ccaf464a091e062b03fb80d35f1c27 |
| SHA1 | 0c0e9b32f66d49e2754af7ff83f2109bd643c470 |
| SHA256 | 8906730d7858dcd68ea18026427d8934b326abfc3a5d0d8070cb18430de7a53d |
| SHA512 | 6e413b862bb7fbb1bebcebabe0dd0397185e2625ec17364c21720d12179583e4965f279c56798049aeef45367a5031b324c6122888c2b6bba21ca40610bdf96c |
memory/1724-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4520-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4520-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 606da41b97cb0c85ad806851fa847c6f |
| SHA1 | 18709394fc2beb212c8db8a3baea00a178016a2d |
| SHA256 | a870a29edc76af9a7c487ecac88ab8f0e6f3697246c90aba93c28d82118d3771 |
| SHA512 | 09031a77d8727659f1889aa54395ea0248eba2aeafcc41e2f5f2640f13cb70792b2b479b520cc3c80e660ea9916d930f057ff6b901a5a73c5d392d1387004b88 |
memory/4520-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5040-14-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fe329954fdb83adffe829e3c870d786d |
| SHA1 | 717b015241b9f27014321c0116e550af27483a0b |
| SHA256 | fba7e52179052b3330552ef566dd4a98f57cbdfe28d76e85a0d6361c64394021 |
| SHA512 | 9a0362b786734bd2e92415ae8785ec1f3faca37b7faf2c64d912e765da991d7f66fa78dfd452a744743b9e1ab25f0840b0c7c98bfc1a729d0cb18d5f12037e89 |
memory/5040-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2292-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2292-20-0x0000000000400000-0x000000000042B000-memory.dmp