Malware Analysis Report

2024-09-11 08:36

Sample ID 240609-1lyecsfc9x
Target 099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd
SHA256 099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd

Threat Level: Known bad

The file 099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Detects executables built or packed with MPress PE compressor

Neconyd

Detects executables built or packed with MPress PE compressor

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 21:47

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 21:44

Reported

2024-06-09 22:04

Platform

win7-20240221-en

Max time kernel

84s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe"

Signatures

Neconyd

trojan neconyd

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2420 set thread context of 1400 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 3040 set thread context of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 set thread context of 2644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1532 set thread context of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 2420 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe
PID 1400 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1400 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1400 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1400 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2588 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2436 wrote to memory of 2644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2436 wrote to memory of 2644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2436 wrote to memory of 2644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2436 wrote to memory of 2644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2436 wrote to memory of 2644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2436 wrote to memory of 2644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2644 wrote to memory of 1532 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2644 wrote to memory of 1532 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2644 wrote to memory of 1532 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2644 wrote to memory of 1532 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1532 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1532 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1532 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1532 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1532 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1532 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe

"C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe"

C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe

C:\Users\Admin\AppData\Local\Temp\099817e2325f7d0fa8ac7ec210fbed44df2c83fbb11a22271a45d2066304cacd.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2420-0-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1400-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2420-7-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dc4a6518619f10e3468bb9de4184f126
SHA1 59c0c21982fd8f4e81eb31c8046de4afc6ef06df
SHA256 1862344f30d972f7ad6efc373c0857941dce1da672ea63afae2bb18df5e1d544
SHA512 4de77029a1f1132a88a75589e6f08c11236de21b7d918fb5d01a91fdf7e154955e8e10bca1b4214340b3dd7b90e4cf46c51f5ec698e80371b4f08becfabe1406

memory/3040-21-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3040-31-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1400-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1400-11-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1400-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1400-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2588-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2588-40-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2588-43-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2436-56-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9e377fa6464ab57d50901235edfc44b6
SHA1 192f4d4922ce8216ca5e4db69fc374bec9fe0677
SHA256 c69d8ee935bb082666f07ce962f85df544741acc85b4d4305dbc79cf0217e8b8
SHA512 c01cec202db828d777a53d530b8c7c6b032c7b25a013cd9d9c4c859a90222e277d040e7351fe490f3f5947df7a746c89217fd24d1d15f384c8ca655cbc5e5c45

memory/1532-87-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1532-80-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2644-78-0x00000000003C0000-0x00000000003E3000-memory.dmp

memory/2644-76-0x00000000003C0000-0x00000000003E3000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 0bda56d045f3941600e707822542d425
SHA1 9febd4a73b189786d3088a8f7eea2c6d5d992fcd
SHA256 326774eb1c93fd10282319ffa6bb9f33e11507cdf1e368756b837ef31ff4386e
SHA512 d599d594432dadf084faec0af637f881e1f2ec429496c5091503af81a600568b1f38c42817b7c2d2b48af5383f035139ab137aa800c2cde3f23002c67de81b67

memory/2436-64-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2588-54-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2588-46-0x00000000002A0000-0x00000000002C3000-memory.dmp

memory/2072-90-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2072-93-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A