Malware Analysis Report

2024-09-11 08:39

Sample ID 240611-3gdkhawarh
Target 71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a
SHA256 71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a

Threat Level: Known bad

The file 71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 23:28

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 23:28

Reported

2024-06-11 23:31

Platform

win7-20240419-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1808 wrote to memory of 1844 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 1844 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 1844 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 1844 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe

"C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 cb52143cad084198dd37edeb550fa645
SHA1 af1bd598adc5baad8088dc39de76a2730d4b1103
SHA256 4941b3456ec7a465335a5f1f0ec27b243be8784b2341a503f1652c2393df43d6
SHA512 bc0d6acc8ed417b534b4f9c6a1cd610415e11c223814bb278324f5b56c330b9ba5fb9415f50c2c549fadcbbd049d941e3d8ed9f4b4f0e791d2cef5158c2acac1

\Windows\SysWOW64\omsecor.exe

MD5 a33682b30c79da6451d7cb6d7f6ea1fa
SHA1 02456f41c43d7afe48278d9bff4b3fdf4b9c8236
SHA256 94ad3263baa0463d435a5e442b528b1c241234c7906a5a07e0ae5a611c8f46e3
SHA512 2f439ed8caf4891d38992f4de42b2cacd8b18fc61fc7f6da7d4ce9d7f4242b458c9e4b80f2f540946a1a0d9ad13a544307bbcea2de158f0829fbd863833fa328

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f97920b3a49fd04ab6b1adc9564d4383
SHA1 800ed87e2ef7a49cd6343d07c51146b50fcd793d
SHA256 fda14a1c4833d3ca2910cfb5f141d3089981c833817f42a9861aabbbcc548f70
SHA512 19578ff6d6549df1782852e6f0bb950b2bb55e701b50fd6f9335d96756a34ba06a5463c1bcc8fdb488bef02b00c4d13c1bba0c2d16865b7a9169dd43b240f41e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 23:28

Reported

2024-06-11 23:31

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1092 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1092 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1092 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4992 wrote to memory of 1292 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4992 wrote to memory of 1292 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4992 wrote to memory of 1292 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe

"C:\Users\Admin\AppData\Local\Temp\71be109a71e114f619cfeed44ecea88d4d3f4ebcfd2f5651a57df98d8868051a.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 cb52143cad084198dd37edeb550fa645
SHA1 af1bd598adc5baad8088dc39de76a2730d4b1103
SHA256 4941b3456ec7a465335a5f1f0ec27b243be8784b2341a503f1652c2393df43d6
SHA512 bc0d6acc8ed417b534b4f9c6a1cd610415e11c223814bb278324f5b56c330b9ba5fb9415f50c2c549fadcbbd049d941e3d8ed9f4b4f0e791d2cef5158c2acac1

C:\Windows\SysWOW64\omsecor.exe

MD5 771a6e1d16121afd27fc877b46e40971
SHA1 1d0b07fd24ed33777431d11a7ce6696274952050
SHA256 48ae06f62548e4df036e5ef5b6015dbc7bebfba4cd7717a8330d5bd4ebc8ced0
SHA512 798440cfc66953ae9a733977b05c8c3f036f109c3cd98038ec016ef0c9906e8c4f4bff687848967d5648990f1e08c345f1c5a00f7f1adbec120f0ca293c5987f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b4043d4a5bac62a001918618781920f1
SHA1 74f25fd8cdb87dc80c3470cef6b88079f326af33
SHA256 4cc803fb014d97cd368fc1858c621dd36c6c73eb0d65bc37eaad9495ec84b212
SHA512 72169933af4e9dc963f243fa45c1c5da10da7146a652dd07d0c22e9625346b8390f9eefb994fdd39d13a078330991b35c6fea895a778c9dd4a74f3b7c56e1c12