Analysis Overview

score

10^/10

SHA256

ad73863dc9726bbe6cf6c7d2433f9cde1896d8198a51e7e03f3cf1ec26f78929

Threat Level: Known bad

The file 6dadb6fc1f598dfc9ebb7aa087046b40.bin was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 02:30

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 02:30

Reported

2024-06-09 02:33

Platform

win7-20231129-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3004 wrote to memory of 2872	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 2872	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 2872	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 2872	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2872 wrote to memory of 1112	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2872 wrote to memory of 1112	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2872 wrote to memory of 1112	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2872 wrote to memory of 1112	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1112 wrote to memory of 2372	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1112 wrote to memory of 2372	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1112 wrote to memory of 2372	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1112 wrote to memory of 2372	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe

"C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	096514828731d6b4e1ca1eefd56a2fc5
SHA1	9bfa57e952573f2fdbcd6b9467f8c467fde73ccb
SHA256	569fce08924a54f440efbe7edb1535f08e87987f35e52d85dd8fa850c5050f4e
SHA512	b966e5c7de921f5fae9ea0bb252278be06f92a0396c9b3382ce6383d793f682d50163fa965517c8e88f9cb0774b249981c73ac7ed8c915f11e1afc3c253917c4

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	ed05fe3ec29dc8f402abb65cd8838a23
SHA1	2b7bbba9a583cb594223d69524716f4d4af5750b
SHA256	e72ecc2ba753e6b80e3c3472dfade45e8a740094a630cf7763bfe00637cf8b51
SHA512	9501fca9c4f673e105df9c69b2922fdf6e1458e761cc5ffb46b8041e72914bcb76c9e1ad69681995dcc10d61c31abe603650c1f8eada1cfc387ab929d7fa2000

C:\Windows\SysWOW64\omsecor.exe

MD5	e516caff2319609d57de70de4c7b5d8e
SHA1	8bb646a2f0ee0198fcfd1beeb2ef408dc27d802f
SHA256	9697455c5c1b4629334e1f218a8d4d9e45cef06e158717af8b58041685dcfcfb
SHA512	7894ace3e6b96af5b63c11802bb4b71311f7d9d96b49c90927f3ff69125c4bf637e4ca287caf904648e29e42154d9e119775618db8576371676550f9e1a16230

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 02:30

Reported

2024-06-09 02:33

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2676 wrote to memory of 4972	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 4972	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 4972	N/A	C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4972 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4972 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4972 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3564 wrote to memory of 344	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3564 wrote to memory of 344	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3564 wrote to memory of 344	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe

"C:\Users\Admin\AppData\Local\Temp\6dadb6fc1f598dfc9ebb7aa087046b40.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	104.219.191.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	144.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	096514828731d6b4e1ca1eefd56a2fc5
SHA1	9bfa57e952573f2fdbcd6b9467f8c467fde73ccb
SHA256	569fce08924a54f440efbe7edb1535f08e87987f35e52d85dd8fa850c5050f4e
SHA512	b966e5c7de921f5fae9ea0bb252278be06f92a0396c9b3382ce6383d793f682d50163fa965517c8e88f9cb0774b249981c73ac7ed8c915f11e1afc3c253917c4

C:\Windows\SysWOW64\omsecor.exe

MD5	eb108ba62c2229657f9efbb2c1135111
SHA1	c95f25226d905d6354e42ea8e7b5b386a9c52a30
SHA256	23ce87543fb609b8a1e3bd1739a353017bd3cab78be40239d5798c35d5ccd369
SHA512	7c0d2ead9f7e9ae50a1f9cdcbca7f54dbd8ce40984caba12119b0dd0fcff61f7f536d2c92986d020adf8a69505b8a6ef2ccb6a8678df53fbb0fbf5f860cf4ce2

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	bb825a818153d363cf75b3767d5c2d54
SHA1	e7bf70d244f140b6fc5ba155e67c831abae52b72
SHA256	d1b7fb60b63d00369dc42e35878bde73a1d3ee43d1843b73946c1ce6f3127664
SHA512	7f154cb3eed3f53e22308f88bd529a451b8dff20283e2f57c8b2ceb3de22eb2096cde8e34357e5da92969fadc33e001356c82c99bdf8c58b02c346951d45283e

Sample ID	240609-czay8ach76
Target	6dadb6fc1f598dfc9ebb7aa087046b40.bin
SHA256	ad73863dc9726bbe6cf6c7d2433f9cde1896d8198a51e7e03f3cf1ec26f78929
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:37

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files