Analysis Overview

score

10^/10

SHA256

549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01

Threat Level: Known bad

The file 549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 22:03

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 22:03

Reported

2024-06-11 22:06

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2220 wrote to memory of 2456	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2456	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2456	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2456	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2456 wrote to memory of 1944	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2456 wrote to memory of 1944	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2456 wrote to memory of 1944	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2456 wrote to memory of 1944	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 2180	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 2180	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 2180	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 2180	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe

"C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	01fab924a4c63493b694b5af5c7b11f0
SHA1	bacbe6b8a41d345c06a8bf3b5735e53a4e5ae1a4
SHA256	b91c86c7de20ecf9a96105573df121bf85e5d03455466c3968888d810ef094c0
SHA512	2ad4aab9f81d565e3160befc61c2acaed92a9d4ff8d9ce2e9da1222e06fb9ae610ed5a3244b30c53760826081291d64e8d7dbebcdcb968fcd7a81ff7741dbf86

\Windows\SysWOW64\omsecor.exe

MD5	46fe7cc140ad46117589e24f044ccec4
SHA1	f8d64319e194733ff46d7c8cb995e559a2073549
SHA256	f8dfd567f188bef46c926c95017ab69d1f191a58db755351002ca987fc24ff80
SHA512	de7cf23e2ad23257b22fb6ddac60397ffbf40611be0cd5e0e5cdb68a75d9540bcc32329518ada52ec3c1a9e5d66c979214cb76be5b9487e02952de5bf2601427

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	56fbffd9eb096f2cb9f9a5ce0a3de20e
SHA1	c8097a6f8845d6edc3bad304b02a3afb748f87fe
SHA256	f6faa24261f4eaa8d1e7a67236a8214cb0d01f4be785753c55681cf12c42bbf6
SHA512	96f831634fa9a7239fa3536085601414c8496bba45225eee62c5b21cde35a5b0fa571edb781e7fbcb5643b1b10d40d3e58d70536f286701fc91804df966a55fd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 22:03

Reported

2024-06-11 22:06

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2184 wrote to memory of 4904	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 4904	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 4904	N/A	C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4904 wrote to memory of 4816	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4904 wrote to memory of 4816	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4904 wrote to memory of 4816	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4816 wrote to memory of 2976	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4816 wrote to memory of 2976	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4816 wrote to memory of 2976	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe

"C:\Users\Admin\AppData\Local\Temp\549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	97.17.167.52.in-addr.arpa	udp
US	8.8.8.8:53	99.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	71.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	58.55.71.13.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	240.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	98.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	01fab924a4c63493b694b5af5c7b11f0
SHA1	bacbe6b8a41d345c06a8bf3b5735e53a4e5ae1a4
SHA256	b91c86c7de20ecf9a96105573df121bf85e5d03455466c3968888d810ef094c0
SHA512	2ad4aab9f81d565e3160befc61c2acaed92a9d4ff8d9ce2e9da1222e06fb9ae610ed5a3244b30c53760826081291d64e8d7dbebcdcb968fcd7a81ff7741dbf86

C:\Windows\SysWOW64\omsecor.exe

MD5	66311046a8ccf9888f4012a14bd7675f
SHA1	cdbdebaa81d365617f620275d17526ec69b5be88
SHA256	40ba195a68709f2e70759c53071d36fca00e5cb7cb16497365695d3259c075f8
SHA512	e2a59b2cf7795da942e9ad8acb22df8a350a66626e4118fe2ad06cbf1a25b736c6dbdf71de81b325b3080c02b4f0a2133063b72ddb6e408607720845a7239ed2

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	b830465eecfa960a3d6ab7eb569e9050
SHA1	8b551876a767d68c8efe538d16227d734d591f77
SHA256	4b2ee6050dcd923a27091528e0b56dd9e2fc1579d4d84b114aa6f3a120f08b14
SHA512	28b8368238ea10711f368c3b6a6e8d511a73d30d56f9838eae4d7dab375277ba58a8819080da2bd41c57751a581f7de26eb60fb418d5f182a73a2e32c7af272c

Sample ID	240611-1yv5rstcqc
Target	549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01
SHA256	549eabc5176616b216b3b9600268b314df84305014a8b06f52fb6966de09dc01
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:38

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files