Analysis Overview
SHA256
6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191e
Threat Level: Known bad
The file 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:29
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:29
Reported
2024-11-09 20:31
Platform
win7-20240903-en
Max time kernel
114s
Max time network
122s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe
"C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 742f951e0d4649cfc7eeeaa0714c45db |
| SHA1 | 705766e428dd9857cca007341208fcbe4de97406 |
| SHA256 | 36e8e9c06ec343c394c74b02424bed471f506d9890c61f00b0bd914f6f36369c |
| SHA512 | af75ac7c4fdf36d8fc5b7fe74985e60274d34210e936a72ae5ff70b9be8beb6bc1eb1fecda0f54a8b5bfb99e7989f16e4035ade220245d2e7b554d8972dd9302 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 3bde8b0b4241659ae0409ab65892c69a |
| SHA1 | d1d7ec3aa4f106ba3388d5b1b428d676855bb154 |
| SHA256 | ac9615b4ba6cccf7cb97d42053300aa53761f4d29b1723c05a559aad91f83a7d |
| SHA512 | 507b6819f556a19c7184d409bddeeb0a8bcfc2c93863cbc379911bf164bb15af475c9488f46c19263d22d6caf30161b260328c1ba47729ec60be3711eadcc628 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bc39a6d0fc4d805af6d57329e7e9f3e1 |
| SHA1 | d3af67bdf4920abc78801a6aa45716996770e010 |
| SHA256 | 33ad5b64575f9d8b13f79ccefacd86687150d18ef11f0b9403667f9edbdfa063 |
| SHA512 | ce5451f5693e8716afb3a875083b5efd62d87f548797228bd798a085c752cbc12594d5f4ff685bb00b6d7b8a6ebcf82442046168ebc37ae15332eed0cdea1530 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:29
Reported
2024-11-09 20:31
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
128s
Command Line
Signatures
Neconyd
Neconyd family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe
"C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 3.33.243.145:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 145.243.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 742f951e0d4649cfc7eeeaa0714c45db |
| SHA1 | 705766e428dd9857cca007341208fcbe4de97406 |
| SHA256 | 36e8e9c06ec343c394c74b02424bed471f506d9890c61f00b0bd914f6f36369c |
| SHA512 | af75ac7c4fdf36d8fc5b7fe74985e60274d34210e936a72ae5ff70b9be8beb6bc1eb1fecda0f54a8b5bfb99e7989f16e4035ade220245d2e7b554d8972dd9302 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 74b04dd7cd457509b84aab0bcc1fb37f |
| SHA1 | f045ff0b91a6a5f58c2831d2643d22a6328e4a5a |
| SHA256 | b867266c03a7cf0ace295dc90136467601f42a6aea42fe6b9dd7d5c92e1e1b5b |
| SHA512 | 6b499607fd2453a2ebf315e6fdb9f2711277c4a1b80eda9135173604620d6427cd47658e0d5a76f9c34263f99b1b6f18d468b3f50dd2300e16bb2380b9b65e08 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bb8775c5de7533b0643f51759a4fdc3f |
| SHA1 | ec9bc76c3ddea21aa4b360233c4319eed87c787e |
| SHA256 | 42b16fe6fd50031dfb46cd6e85e30c36dafa0ca1a6706642e9f96facaddfbbf4 |
| SHA512 | 5239a539869dc2319c80932b3e157fd2b082f94297fe83e0acb772e925bdf5beeb0fed95ea00bf2a2e60b0f3ecc06f894a998f926a396ce5a3baf31b36802e3a |