Malware Analysis Report

2024-09-11 08:38

Sample ID 240611-fklnysvfje
Target f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57
SHA256 f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57

Threat Level: Known bad

The file f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 04:55

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 04:55

Reported

2024-06-11 04:58

Platform

win7-20240221-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1548 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2760 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2760 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2760 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2760 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe

"C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 452b0f61d42d3fcc61be824474b4201f
SHA1 0f80f9091a92cc6eb9e70590fe4f98cd2330c22f
SHA256 20f5915ea6350009e667a8a762cee652a20c395a1a60e3c4cd13a5d93e5af83d
SHA512 f0d521e67ef23e39e93d8f76b6213702358a0a0847277bd6ef517b985dce6b3470b33696e423317414247f8233a4a0dcbb0837f2b0314946de27338f77d6d81d

\Windows\SysWOW64\omsecor.exe

MD5 7bd9e8c2cbfa4408e2b764e17cf3c08b
SHA1 21d7cbab4608cfc0ae88cc2918e4320ea2c6c3f7
SHA256 61b11e95038e47e02d2bfc3758dffa26fbcabf5e13e09825599893ba22d699cc
SHA512 7b6541cfce0487dac443dd0b0f85cd1383a358ffda262576d559bb084b1cd59ae365f08b68b2667bf38dd69443b44dbbba13c55829a5f96891e3c0c1059e132f

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 794622c7a6f7aac78d543058f735f549
SHA1 9d5bcfe6c0ace36fa907ce9b7e13f0ac7d9c2b7e
SHA256 6c553d881dd8abda5e0674be0260f8d07683e3adf0217d3bc804a47c67c65af9
SHA512 6e1b2ed7815dd19cdca95b27b73aa735bd1667af69c75f8924f8ade9b9e07c08c309092574fd2cd306d242f80254fc1629a8bc7799609351b6c63433bfb207b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 04:55

Reported

2024-06-11 04:58

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1976 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1976 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4884 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4884 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4884 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3656 wrote to memory of 4068 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3656 wrote to memory of 4068 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3656 wrote to memory of 4068 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe

"C:\Users\Admin\AppData\Local\Temp\f15b64df78dc47bf69451930825b956f2f79754fed2b00755df7015f9c98ac57.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 452b0f61d42d3fcc61be824474b4201f
SHA1 0f80f9091a92cc6eb9e70590fe4f98cd2330c22f
SHA256 20f5915ea6350009e667a8a762cee652a20c395a1a60e3c4cd13a5d93e5af83d
SHA512 f0d521e67ef23e39e93d8f76b6213702358a0a0847277bd6ef517b985dce6b3470b33696e423317414247f8233a4a0dcbb0837f2b0314946de27338f77d6d81d

C:\Windows\SysWOW64\omsecor.exe

MD5 d8213278a8df3e9aee3d94ac5dc00cb1
SHA1 414d26b791f2c5310f3784ad470127d92e075d07
SHA256 182432fc076dfd18ea18d26c4f670498353ed81c5de05ece8fdf35fb2e4a835f
SHA512 85a04fd60df772bcc1e9a4321f931e219d68b57adb80f27293bde82d5e293d0d38287bc5b5f50a6dbd6e3e1c6eaebb4a04b299fad6bfd325f657583f49e80db9

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 554d7c64cc47c264dbd789f161e9cbd3
SHA1 9cbd1f5e7b43ea8b435a54a6b48c734a29fb0e18
SHA256 b8dcd7ba61d2caf13a7f4155676d51712b88ec9d562e071b490ccfa7372fe6f0
SHA512 9fe98e4ce7b629e9187183a57e65ec0636edd20daa786d6353d541c4438809c9ebc320a0d7efb1c51611ea4a82e209b13d0e4ef3c95e582de2f5cf9065befee5