Malware Analysis Report

2024-09-11 08:35

Sample ID 240610-pb2s9aah54
Target 528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356
SHA256 528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356

Threat Level: Known bad

The file 528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 12:10

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 12:10

Reported

2024-06-10 12:12

Platform

win7-20231129-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2060 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2060 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2060 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2052 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1620 wrote to memory of 1180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1620 wrote to memory of 1180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1620 wrote to memory of 1180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1620 wrote to memory of 1180 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe

"C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 94e3944e32d294eeeeb11b9707a49fbd
SHA1 26c8131437a4d0924374bdf6c071d896bfef09aa
SHA256 1fc14a98749d63975941737debc12cc19cf9637d48867017a788efef71c0c956
SHA512 e3443294c851a3142c1ab416681ca062b35e1d1ea759ecd1f05534e67b33a5a41937570c3c8d46e48eb124243126bc76da63920cd8ef278de929a2c1eabb4f1d

\Windows\SysWOW64\omsecor.exe

MD5 00ce2305a589ba3256a9d3dd302f972b
SHA1 b9e58f2bdb04e607c6b9fd906dd87afaec2e5698
SHA256 b8445153d1baffbc15f919a73f7902e0017240d35d94a050500ed30d774fd05c
SHA512 3210c322ef09269628430adc80d0c6382579430439a72933fd18469c4494faa891f8bb0a64c12aaa3ecf39b0a190c31bd9815a08fbb66d4c7d053d1b7fc945a1

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5a368bdd0b1bc414e11e4f8c5cbc2be6
SHA1 b339c7674cff2310c0904cc3b184a898f79c299c
SHA256 27d8fbcbca8cc13a5ddb00e27d3a5d501144533084ca89b169f84b83ead441cb
SHA512 c57c2257678693fa0eed9ba6c833ea96aeebd5e99a284c5cc9807eddc6bb42a6f720624862e94dd49c8f83d5df8fd76d7df8a2dacb091fd44f29aaf35d407c33

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 12:10

Reported

2024-06-10 12:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4412 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4412 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4412 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4468 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4468 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4468 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1808 wrote to memory of 1132 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 1132 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 1132 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe

"C:\Users\Admin\AppData\Local\Temp\528e282816049332910b3e75887beb188e287b494dc0d5da3702513ba7b1f356.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 94e3944e32d294eeeeb11b9707a49fbd
SHA1 26c8131437a4d0924374bdf6c071d896bfef09aa
SHA256 1fc14a98749d63975941737debc12cc19cf9637d48867017a788efef71c0c956
SHA512 e3443294c851a3142c1ab416681ca062b35e1d1ea759ecd1f05534e67b33a5a41937570c3c8d46e48eb124243126bc76da63920cd8ef278de929a2c1eabb4f1d

C:\Windows\SysWOW64\omsecor.exe

MD5 61d12916d2d0629eca8e6a916525ccef
SHA1 f9486af5af0597a31175e6d2ab2f48e02c3de1e7
SHA256 b8f40cc06ba516b3409656979dcf2cfdad7c1d7c286d9f077812c8c1cd0caf76
SHA512 6f9ee3420de9ca2090bbe74629e6c2dd674d057baf15fd16be7d10351f7d17124aa76b0f2a3faa617ccf8033ede6feb5446c891c278494ad5af03698ae4e20ea

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 02e53bbec474fb84b1ded47d93beca93
SHA1 7dce4c54655422ec0b85635846462b6406f2d955
SHA256 491061c555d93b41808fa63d074758e8473bbad6f467bc86b348b26c0d38d5fb
SHA512 ef57fefed69a2db58f91138ae7b5823718868475b10560527c6659d60089b18c199d28ce869b552ce9074b8b01ec8956fa721112f43d5fdef6a80f9f8d363e2d