Analysis Overview
SHA256
2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f
Threat Level: Known bad
The file 2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:49
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:49
Reported
2024-06-10 04:55
Platform
win7-20240221-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe
"C:\Users\Admin\AppData\Local\Temp\2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b35b62c9b709d516c0c1f2a33dc6a138 |
| SHA1 | e89247b1ebe4cb7080db0bacea491fa7dbf237da |
| SHA256 | f30eee431defa81a149a44bef4f0cce289190d8ff70c67ccaf8cbdf99666cb10 |
| SHA512 | 2fc63edf3fb081cc3772a3ba9fb822b6959544713edd4facda45475e9d48b40a1512b73d43fa73b6f20f85646c5aa407442a52f7fa4134ec9bd0d2c2cd0f3329 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 131fe746874873d7b2a6279a5067a2e4 |
| SHA1 | 8c99481f19c15f83a4c5e0dc03fc199a14228d28 |
| SHA256 | 87019b02a1cfb29e6574a9039bbaac27ff3a8e581155914d0ef4abe69ed056fe |
| SHA512 | 7ca4e91a2d7414242bcb6b2a2f02eeb847411ad93e0719bd432b6e1483bf3b4c86bc6d2c4604b2e4bff66819177ab52d40de7ec0b21c2c4b3f276b8f3d71a43e |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 9691e40837a6f824cd8532718b1038ae |
| SHA1 | 72b72d453c9737adf0eaad864c036cebc80758a2 |
| SHA256 | 50db56c9e68e244fad4d4fcc8d4561a2c0bd72c61c6597527b640d8c14898e2e |
| SHA512 | 9c8ac149e88afdd23dd89222bbe14014dde68dfbfcf2ba7dccd4a9da034af40ef4aa05ab99bffe0ea6ef719783c2994a06fa2c1cf416dcc079685000ed6f2797 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:49
Reported
2024-06-10 04:55
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe
"C:\Users\Admin\AppData\Local\Temp\2881d0b1f21dba86c8663c988b715c9744c6360ae364809356245ecddcc6978f.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b35b62c9b709d516c0c1f2a33dc6a138 |
| SHA1 | e89247b1ebe4cb7080db0bacea491fa7dbf237da |
| SHA256 | f30eee431defa81a149a44bef4f0cce289190d8ff70c67ccaf8cbdf99666cb10 |
| SHA512 | 2fc63edf3fb081cc3772a3ba9fb822b6959544713edd4facda45475e9d48b40a1512b73d43fa73b6f20f85646c5aa407442a52f7fa4134ec9bd0d2c2cd0f3329 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | da8cc74b924ecea8f8a886c91f6344cd |
| SHA1 | f47bc797731cea801d12c75e754d59579c35d564 |
| SHA256 | 0d7fa6d56a604707d521ffcb66945e342acee8df06ce23321226e682fc0bd200 |
| SHA512 | fe6ce8cc50d1a9bfb71f6ac17de0454b515fab1511b4b0ddf2e31fd364020ef3a8b72753608a03398c75f51fd35140ed03df4b9f03019b0b71473100d4d0c4d8 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4a280581dcd4af788580c2042f34b3d4 |
| SHA1 | 537c91f4ca7a42741cc17e87951eac353296059e |
| SHA256 | e7b9c61e9ec14b3531371193b0d06bbad94703bb69a790bba9ee63c5e23cec42 |
| SHA512 | af81a41003b9630295d76eb82ed95fc94c631d45bbaedb7e6377ad26ef025142cc59b35936f07a6ca5c4b76117358cf54c6d4ff09cf373e3872f517d3257f4a5 |