Analysis Overview

score

10^/10

SHA256

67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f

Threat Level: Known bad

The file 67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 22:58

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 22:58

Reported

2024-06-10 23:01

Platform

win7-20240215-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1876 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1876 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1876 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1876 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2332	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2332	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2332	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2332	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2332 wrote to memory of 856	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2332 wrote to memory of 856	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2332 wrote to memory of 856	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2332 wrote to memory of 856	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe

"C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	0b93f8471c2a9cdb37761f6fa62030d7
SHA1	27643a599b6fa41c3b19494d9f50659f3fa620f6
SHA256	cc45e24de7c77d7623f23de2838a4d650bdba3878f7bd2240a132f5919053d6d
SHA512	dbb50a65146bda7b08ae12a3b406b7ab2a317752d2c8c7a28b4c6f9041e910f65dce17d851567569a0ec5473792a31d480860cc23dd8a47f33cdbcfd47c7eb08

\Windows\SysWOW64\omsecor.exe

MD5	f1dbc1d577ac44f60fac9aa96e9774ce
SHA1	5d7cf13a53697a289db9f29620634bd6c3df9144
SHA256	d908c3b54eb058c70385b6606a81c10aa56836f30f839d5a44ec885d06fbf767
SHA512	da5381aca5d5cfcd8c5c283c61ddbe5315dd4d93e580891e49e43cf068fca3e711c276b9ca496b36c1347fea21aee6b968eddf10b5b87a7ae7feaf690a038978

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	ca975018fb78cce64059c8b850b2327a
SHA1	7d9d639888634c8aa0d1fc3f2a2a950d7cf86fd6
SHA256	937138d040217108766b52cbb462a4f24a73af3f6cf42f5cae9c79a2feb84ab9
SHA512	c99a0acaca58b1da11d40dbdbd1201d2944267f89212aaf22e3887f8fd041bd25af53332d058aeef34aa1e6747f81cfae564de5b92e379be1e438c68e8bd96b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 22:58

Reported

2024-06-10 23:01

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3584 wrote to memory of 116	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3584 wrote to memory of 116	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3584 wrote to memory of 116	N/A	C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 116 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 116 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 5080 wrote to memory of 2508	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5080 wrote to memory of 2508	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5080 wrote to memory of 2508	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe

"C:\Users\Admin\AppData\Local\Temp\67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	0b93f8471c2a9cdb37761f6fa62030d7
SHA1	27643a599b6fa41c3b19494d9f50659f3fa620f6
SHA256	cc45e24de7c77d7623f23de2838a4d650bdba3878f7bd2240a132f5919053d6d
SHA512	dbb50a65146bda7b08ae12a3b406b7ab2a317752d2c8c7a28b4c6f9041e910f65dce17d851567569a0ec5473792a31d480860cc23dd8a47f33cdbcfd47c7eb08

C:\Windows\SysWOW64\omsecor.exe

MD5	e6bb642a5cf88c8ba18d1c1b5cefe30e
SHA1	ebac6374ae8ac7f92ee1a907e9887ef41d906339
SHA256	838090dd40d8dbd2686dddf9e799813afb01c643b9c33377ebbdf4849e084a53
SHA512	12886ac50cd07fb453e6f1e3b2e9bc11073b9527cde74dcdc290a89bb3990c31d9ebdada6d01571a108808107f2a00ad33b57e335f2e6a73edc99880e17cc994

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	21314ca480557049db41ac6cd6a2d0fb
SHA1	bfe55001a767c3b314b4f0a97f625a3c8a50f407
SHA256	2e212e48a7f8d2febefb2a5a99658c326c5e99d36e970e0f6f4123a29ecbb59c
SHA512	273441b2bedbe7f6b5ce892883ed33e10e1fbf25cc1e0a0d7ae6598947d8574e46b699af7009511ba2287846c2721b0e4274b69eb3d7566797b270661955a2fd

Sample ID	240610-2x62batgnc
Target	67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f
SHA256	67690b50d1b230c33d32822968f5d129c8bbefff48be3e91be13ac4ed005652f
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:39

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files