Malware Analysis Report

2024-09-11 08:33

Sample ID 240610-qwysrsyaqn
Target 73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5
SHA256 73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5

Threat Level: Known bad

The file 73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 13:37

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 13:37

Reported

2024-06-10 13:39

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3608 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3608 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3608 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1268 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1268 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1268 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5112 wrote to memory of 1400 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5112 wrote to memory of 1400 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5112 wrote to memory of 1400 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe

"C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c3bd0b740db3ef139a18009c16985230
SHA1 56af4cbdefa90be161dac56c9686d9b2cccfd360
SHA256 9be7a1961ff94f5db0df8fa67ebd6359def2e8ddfe4ed6f4c96eaf5e62752790
SHA512 0e6ba9e557fa227bce9b56a7fa46d8097c51aa0000485004650337e79c6b646aaf00d95d6d3ff23541cd9290a5e739dc1b61a04edf2e0e152b922f98bec1ac8d

C:\Windows\SysWOW64\omsecor.exe

MD5 c3f1831467d643f2a159b0b234eb1587
SHA1 ef736e5956aef3603d765075afaa4de5ea86e67d
SHA256 b13e791839ef9df649fdafb2c2473aa5b48cd17a1a4c48cebc74b2054907cbad
SHA512 863ad2de7af80d08682eb2cdb1f134c7e70445112b357f9be1175690a0c9268a1471870e11ae00165cfc5eff9eab584b89092e4aed5253cd827cd5ae931f3f08

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d468286b4ab00416fbfd2c6710139318
SHA1 5a8ceec0d82ad6860028990db542375c6c800352
SHA256 8fcb56ce10589ee0fe7df87b63204f76eed8532a6977d2acab2a22ce4358d89b
SHA512 47bfa7bf560c7a775016307dbaac2cae57bf2d372fa5902f1fe36083b9031ad319e80bc80832e1a151f51df5863d3c63e38574afc19c8f4bd439340771a6d890

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 13:37

Reported

2024-06-10 13:39

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1812 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1812 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1812 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1812 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2932 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2932 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2932 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2932 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2964 wrote to memory of 2812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 2812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 2812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 2812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe

"C:\Users\Admin\AppData\Local\Temp\73918f934cdc8059c570e5a3a11c6a929429b5cd4bde8f381092685b1a4112b5.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c3bd0b740db3ef139a18009c16985230
SHA1 56af4cbdefa90be161dac56c9686d9b2cccfd360
SHA256 9be7a1961ff94f5db0df8fa67ebd6359def2e8ddfe4ed6f4c96eaf5e62752790
SHA512 0e6ba9e557fa227bce9b56a7fa46d8097c51aa0000485004650337e79c6b646aaf00d95d6d3ff23541cd9290a5e739dc1b61a04edf2e0e152b922f98bec1ac8d

\Windows\SysWOW64\omsecor.exe

MD5 3a2561a8bacc47d714a7f4462e7b1aeb
SHA1 d6ba1f337bd2da96b4074ae9c12c7d56ad4ef796
SHA256 ce3d42ad0514db64e0dee76c299cd11cba77ea475f7a70492596c19ee0d4c38a
SHA512 5bef28f917f1462f74b406e84ef9119f810a2ae263957e896edd854fa0195b4a50002f727b7ef9cc045e6ad51f3cec88e5fa88d7b4e12de48814cf9e729bf49b

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 68361e312d815ffa1ce1b2bab1282b48
SHA1 e1fd6cbd758db48abdb8c492ed692c9e2ba57fc6
SHA256 7161d3d96ed1ec754509b5f03822909ad74eb806a570185cb4f1b02d8cefc9a8
SHA512 7b6f5bbd6fb899a03394a3778311155aa3bbf8952273a0e17cca3d9c175831a9dd918c541167095c5d28a8de68dfe5fcdac7b6cf83f7eabfdfa2f4ffdb9f8f19