Malware Analysis Report

2024-09-11 08:39

Sample ID 240611-b79bbazfnm
Target aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d
SHA256 aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d

Threat Level: Known bad

The file aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:48

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:48

Reported

2024-06-11 01:50

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1508 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1508 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1508 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1508 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1364 wrote to memory of 1256 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1364 wrote to memory of 1256 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1364 wrote to memory of 1256 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1364 wrote to memory of 1256 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe

"C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3815fd7ed30cb279abf848e0e568f076
SHA1 7dba16d8e15b417448ee6d2de8d1c2fd0b454a9b
SHA256 c68aa397ecffdeb6477fb60813987ea620d21e9920fdfd39befc41b98d8c0dec
SHA512 0cfce9c37d9aec75b8c92e17b5fccee2bb0065f5cd4c351e0cce1f25298bbeb3ebb89f43334f90fe483b2629dbd43f5def7a1f3e44150fab0932b84bf67d1fc1

\Windows\SysWOW64\omsecor.exe

MD5 69a4d025ad497daf5cec4cbfff4d2378
SHA1 75e2706c00ba1f6169f8ec4c6ff1782f46e2f350
SHA256 e9df493ae72c0e300904c4c3b37feea2b59dbae37709cb9e76f62b4b0b8d158a
SHA512 5d1fb9b6788dd6d9f5c78c882c6556078ef3b69a1d0de1dd351feace1f09cafa8f61db0714c0f0d6b2fcd998dce8dea1fb412971a7dc33125dc4c3a75251c4e4

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 704f43c8b8cfdd897db4842d5ec8606d
SHA1 0ff274326e2f0331aac1e75d52ddc64e32241561
SHA256 dfeeab912f59f33a78b4e3a28ebf3160ef8a8c1fd148fe6906291c5ba0caed9a
SHA512 9a32644e8478746818d8ba4984a613c842683eea17796f0e5e9757d2dd29b3d070afb73ca5fa7eace389ba2067572629fc82c06fc3fd5f70f0fb4044ed01ad05

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:48

Reported

2024-06-11 01:50

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1164 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1164 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 392 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 392 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 392 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3420 wrote to memory of 3500 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3420 wrote to memory of 3500 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3420 wrote to memory of 3500 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe

"C:\Users\Admin\AppData\Local\Temp\aceaae6f56c1df65fc6a3469ad84173aa9efece87545bb3305c9783ae880f01d.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3815fd7ed30cb279abf848e0e568f076
SHA1 7dba16d8e15b417448ee6d2de8d1c2fd0b454a9b
SHA256 c68aa397ecffdeb6477fb60813987ea620d21e9920fdfd39befc41b98d8c0dec
SHA512 0cfce9c37d9aec75b8c92e17b5fccee2bb0065f5cd4c351e0cce1f25298bbeb3ebb89f43334f90fe483b2629dbd43f5def7a1f3e44150fab0932b84bf67d1fc1

C:\Windows\SysWOW64\omsecor.exe

MD5 05121ee5a161a943a3cb7c46e2fa13c3
SHA1 386f345b0b5df77ae0a10345f19e5099f52496f8
SHA256 4e1578bbb07f7159995d5a70e2532784d0494e9f664df620bb882c6ce656508e
SHA512 3f1f582424bcac9289d1cf641b1bb353540b48970bf8f1badd94faeeb48b0f87f8ec222ab2cfe2b7b2b4d0a63d15d0dbae33963816f537798f966af22c998f01

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a6abc66b0575dab00754abc3302cefab
SHA1 b42fe563bc6cd3d8570b9a772a9ce3bd63b2cd40
SHA256 54d85ad07fac776984e62ba37990303ef68811ef929a9e98ff55ab775d29cdf2
SHA512 0421025b5d452e5fe771a8a9517c6a0f61548688d3048aba05210ff07ebaea39993855b0c88a5c5787c26e0e0904e8252e134ac89de8f6492fb143884555a8cd