Malware Analysis Report

2024-09-11 08:39

Sample ID 240611-eh2rqatclc
Target db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51
SHA256 db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51

Threat Level: Known bad

The file db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:57

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:57

Reported

2024-06-11 03:59

Platform

win7-20240221-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1724 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1724 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1724 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1724 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2872 wrote to memory of 3048 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2872 wrote to memory of 3048 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2872 wrote to memory of 3048 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2872 wrote to memory of 3048 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe

"C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5156d92163747fc63f36415ff2756ac1
SHA1 1b480079e0c1fce8912867d1dd6affcb943afa33
SHA256 bb66de9e925e9df31060b6f66cd46296a28f93195d35483d701959a459ea5208
SHA512 d071ca9c76d67361163fc262f0b1d89e7d86b9d8f9336d63dd531e82bbe5034bdff96d3bdbdeb65697cf3099abb1dc298ac4df48aaea6ff5a90d3f64e4d7554a

\Windows\SysWOW64\omsecor.exe

MD5 c4c59a6a88428c61a405bae2c4912b57
SHA1 7f9e15ed4e11fbfd64ebe70e7374504027ff0796
SHA256 9db5d2b69b997147d076f2669ee663fee841e39b37ab8e038f84764c0d51b093
SHA512 29744d41a3aaadd6a8e6ccea0135da699b2ffaf97fa959ac1d7669462cf2b4a18299ddaa0998af8a572a4a5ac594ad4f54151782fc8eccda24ca1392db562f07

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1384ede11b1601c0e7adbe26df84f029
SHA1 2355075a2e2e1de00688deab9e8d5a3792871349
SHA256 00935005b77bce26481c399f74cad0273d2087190369ead349d1e78a847e1260
SHA512 6536037635cc812d3fd617eb2f4bc09bee765744c7bb91af4b8ca1c8acc015c4b74868b5382bad2dad4ff53f6806bc2793282d99947d73244d06fe5c3ffd1b06

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:57

Reported

2024-06-11 03:59

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1928 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1928 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1928 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2976 wrote to memory of 4900 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 4900 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 4900 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe

"C:\Users\Admin\AppData\Local\Temp\db87a3c60cef93cfba23822710ed70037ebea318e83ca86165e8c438c85aca51.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5156d92163747fc63f36415ff2756ac1
SHA1 1b480079e0c1fce8912867d1dd6affcb943afa33
SHA256 bb66de9e925e9df31060b6f66cd46296a28f93195d35483d701959a459ea5208
SHA512 d071ca9c76d67361163fc262f0b1d89e7d86b9d8f9336d63dd531e82bbe5034bdff96d3bdbdeb65697cf3099abb1dc298ac4df48aaea6ff5a90d3f64e4d7554a

C:\Windows\SysWOW64\omsecor.exe

MD5 c9ad564663008c31a3a74f963f152eda
SHA1 ebcce87c7d8a1211aa3be2de1d05d76eca6c9c49
SHA256 011c10ff63c278e9a3f4263f0d5af43283f5ced086b74d83037015095d2c5f30
SHA512 649e2785e08d98e1e25a73e1bff6310d9a90d1b648962662d0cc4aa279af044192aade300dacf923efaa0f23f7d9a4d2e8917c45162c76ae817175f584f63cab

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f20006c91eea18891a0732581a47b7d4
SHA1 9585cf8e3d0d849f90f971c46421ba2041154b70
SHA256 d0c7a9748a3bb7e136e880f5044dbfeb8d67bb9e7a150e1758c60e71428a0b88
SHA512 3fda0d8e117a1cb29e1a26e15fe1392a78495a9384d129c7e4c61b683f679ab0bd259a2d85fda23912d879d3c04e52624134c269e9bbca226f59555c9d91bac4