Analysis Overview
SHA256
493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c
Threat Level: Known bad
The file 493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-15 21:15
Signatures
Neconyd family
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 21:15
Reported
2024-08-15 21:18
Platform
win7-20240729-en
Max time kernel
133s
Max time network
142s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe
"C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 25dfb5ffb4b65913b693787c80019599 |
| SHA1 | 48da9b32544b1aadebae70bbb88ff26b803c937a |
| SHA256 | 0e283f4b9a92ab14dfd2140e810ba8182611071df34db134ff1d85f55d95e8be |
| SHA512 | 5cbe30bc1d148233a8b5936370e91546501969e01cebd65d810a00238e5bec685828da8544fdfb1c8a2cbf3cb322cce311624d073291bb21ce56c28083342eb5 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 51ff2494486dcbe4754a65adf1258e4e |
| SHA1 | bbfafd173d72651b0dd1b570ea43377661b5dcad |
| SHA256 | 219acb486dc9d6e369872cc6f6ebc75f53aaf9012b9ee54d4e1f400e55e2aaab |
| SHA512 | f8184b726b752646738db48b056495d419f7d1ac9b7b2f9643ce5b7c41ffaf98721897f2a9b6c1bfc4e38d5b8a50b75e7c2688f184f9e96197c73ee5f0323fbe |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dc88d6640584927ebe2b90018c6bac06 |
| SHA1 | e1ab575e40a00b6525db1f3f8f1e4eec465aed7c |
| SHA256 | b6d53e578ab0f48f2551e33a876a094e8e2f31ae14d532b25a87abbd56cd8112 |
| SHA512 | 533ec621de81ea029c7fbdfeaaf4e226d0a884abfa7bb4a8426f3c704a58dd7ca24e9b2386e91fe566bd72fe655e6fb088611b4de5dc432826415e1ed81be78e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 21:15
Reported
2024-08-15 21:18
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe
"C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 25dfb5ffb4b65913b693787c80019599 |
| SHA1 | 48da9b32544b1aadebae70bbb88ff26b803c937a |
| SHA256 | 0e283f4b9a92ab14dfd2140e810ba8182611071df34db134ff1d85f55d95e8be |
| SHA512 | 5cbe30bc1d148233a8b5936370e91546501969e01cebd65d810a00238e5bec685828da8544fdfb1c8a2cbf3cb322cce311624d073291bb21ce56c28083342eb5 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5ed7717bc67af3786ee1973353e2d91b |
| SHA1 | 46593af3e8b1ef48dbb635d03cf83dd5a97972cd |
| SHA256 | 8541bdee6c5293cbe16ee8a143d25081ce1c2c7858007e8346accc9e06f6ba99 |
| SHA512 | 45b49681a8c6d1455ca3e8cb2fdf5677ccb497bd0a011540c510dbe589864e7ff866a030f78756957338876a70bfcf44492011a04335ced5d951f61b6c0ded83 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c18d17fb5479d3954a794d572a34a64e |
| SHA1 | bb9f8570958d24dad2588962953901e0102b0034 |
| SHA256 | bc47281bed4a69ef7f10dea81d916837f366d233b5d0746b2da75db97a0bd0aa |
| SHA512 | df33f5e67521d82936e3362fa9165a80b2a03d0bf8eb277228b27f585b1da0148143ba3a2cf809c9d4390dd843e282964a3a68862d166202d876a4e906b07d26 |