Malware Analysis Report

2024-09-11 08:31

Sample ID 240610-xs3qwaxapf
Target 16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c
SHA256 16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c

Threat Level: Known bad

The file 16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 19:07

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 19:07

Reported

2024-06-10 19:10

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1940 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe

"C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

memory/3008-1-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3008-9-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e1979a757a663d0d47976310da3a2fcb
SHA1 9e5073caac16ef7810beeca6e80d58324e102a38
SHA256 6ddf688fa5afce979fcd073964f7175ec38854b7e8c1bf163ee3526b238ba8be
SHA512 dc354566bd0fe60624b13bf2c91cdc099dc36b78842b137070f4fed841cbf40fe7392dcaac60d0c4ab8e5aafe3adf41dd707c5ef0b4c770523eefa30eed79134

memory/3040-10-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3040-12-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 b9c7c67da40253e812c0058589f7964d
SHA1 baaaf608205cfdbb387eaa67eb9f827a587fe145
SHA256 421ef27522d23a72d020b749c02e5ee8275c1fe598412c525d3c39365fe9877d
SHA512 95e086113c0aa1b0e1044d25327e433f552272498c82227dca8b12d2d0f68b823110776f29eee4edbfac7def092e81a8603b2663541fbca0bfa2ed8766963212

memory/3040-15-0x00000000004B0000-0x00000000004DB000-memory.dmp

memory/3040-22-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 db46a93fb4a2a2c492a8c9d21f301388
SHA1 3f15f1bebd1cbf48225a59f5aa5129e1bedc9447
SHA256 7c74e0c37f2e88b642e202a079f4656644d4ebe915054065746c8455bfb199df
SHA512 c0bc448a845c2cb7f67ddf1560059ae72b69b9b61150d2a3550f3ed4046f7f1cd36a2df57c269fd5c1c6792125f5689ec6b63c9ecf22c1a95e7ebf8cc5721a8e

memory/1940-33-0x0000000000220000-0x000000000024B000-memory.dmp

memory/1940-32-0x0000000000220000-0x000000000024B000-memory.dmp

memory/1940-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1976-36-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 19:07

Reported

2024-06-10 19:10

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3032 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3032 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5020 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5020 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5020 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1432 wrote to memory of 4696 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1432 wrote to memory of 4696 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1432 wrote to memory of 4696 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe

"C:\Users\Admin\AppData\Local\Temp\16331d6f1437dc842ff61774b7f71f2e951cb2e259282a6e25314b9e2d87db5c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

memory/3032-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e1979a757a663d0d47976310da3a2fcb
SHA1 9e5073caac16ef7810beeca6e80d58324e102a38
SHA256 6ddf688fa5afce979fcd073964f7175ec38854b7e8c1bf163ee3526b238ba8be
SHA512 dc354566bd0fe60624b13bf2c91cdc099dc36b78842b137070f4fed841cbf40fe7392dcaac60d0c4ab8e5aafe3adf41dd707c5ef0b4c770523eefa30eed79134

memory/5020-4-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3032-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5020-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 b4bbe071fb4157bdbd1acc95b1d8a926
SHA1 d9b40a14bc1ecae2a5d8663dfa804fab967f6224
SHA256 c7c78a450b292a0605d157c4cd356fe1e781921cebaf8b4d7893c446bcce26af
SHA512 7d30484f6d96089617e6fbeba0f91dc223471284edb47afee673cf8b8f0578e9165115005e81228378ee70428f8d902e028728b21473e54d9b8199dcbd24663a

memory/1432-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1432-18-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1807f84b8d5487a93b0dc2e603e552ca
SHA1 c1a37a6e60b0e9712de5771077f0204ffc05e48f
SHA256 ce68dff961db96341f008ecf18fc0522545c43016c8a2575274513a7064b136b
SHA512 66ae644fdde1e2b1daf7a24e3c73d9d09d97f442c53d1b666851ac4e301a45b14b9173a0c9afe55636bef22f49568d0e6788a7600b551eae4df7d0df57f67a6e

memory/4696-17-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5020-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4696-20-0x0000000000400000-0x000000000042B000-memory.dmp