Malware Analysis Report

2024-09-11 08:40

Sample ID 240612-b291naxhrb
Target 9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1
SHA256 9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1

Threat Level: Known bad

The file 9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:39

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:39

Reported

2024-06-12 01:42

Platform

win7-20240221-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2928 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2928 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2928 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2928 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2580 wrote to memory of 2444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2580 wrote to memory of 2444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2580 wrote to memory of 2444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2580 wrote to memory of 2444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe

"C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ea87ab8549c7fa3c085468068f4ca6dd
SHA1 226e0b700342965377ece5be7317c44221b2f700
SHA256 640980fc3f756ee0acb947681c0346d85374e0996b47ea51b23de8f2d3b626f3
SHA512 bd72fdc03b50da447a1e73384edc5050104781cebdc6dd5b69ec53336aa9c41a6eda848c07fb788cbb307e800b56ff9441f3427e6dbd25ce8b48d84e3af9f561

\Windows\SysWOW64\omsecor.exe

MD5 8d0eaad137d92a6952a5946c3f68643b
SHA1 dbf2690751b09a4dc3efa6b9aaba6e4feac2dec3
SHA256 ee79b4efa0e17f3431846595755645074cb25a56a2638a8dbbf530d46fd28c5d
SHA512 b5ae80631a993e8d34e9436de0954080987c366a2c4bf380eb802168923cdc2051d08fbc8a37a09c568f87f135926da530b0c63935eac9ce0b8215bcb696b0b3

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c2fe00177b5ad4bc8fa9ad8027e70673
SHA1 6d8b2c5b91ec927473d0d337b5db579c813855e6
SHA256 bc38d21196c305a14216653deb1e9994778412870111cdfacd4c46b6fd0f3846
SHA512 be194f07acff481116ffa01179d0e9b7c6c79f3c902e80f9a48afa1720bdcf52dba6fe38a82b1d9f74d33dc1c8f4c18ac47216be7d6907bfd526d57b407db4c8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:39

Reported

2024-06-12 01:42

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2560 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2560 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4224 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4224 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4224 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 4788 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 4788 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 4788 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe

"C:\Users\Admin\AppData\Local\Temp\9cd32ad23832f553cd9a6b192c989196f2aae1cb60ce24395b7b58099138fef1.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ea87ab8549c7fa3c085468068f4ca6dd
SHA1 226e0b700342965377ece5be7317c44221b2f700
SHA256 640980fc3f756ee0acb947681c0346d85374e0996b47ea51b23de8f2d3b626f3
SHA512 bd72fdc03b50da447a1e73384edc5050104781cebdc6dd5b69ec53336aa9c41a6eda848c07fb788cbb307e800b56ff9441f3427e6dbd25ce8b48d84e3af9f561

C:\Windows\SysWOW64\omsecor.exe

MD5 f6566e9b2db897ed4fcb9d6303e5a286
SHA1 049993c296675ba9357be50bcd87f26fbaaf8a87
SHA256 28efb03024d1e73035ecc40a724a5b6e28901cecf218727b3f93ef5286d995ac
SHA512 6e08f0abe19a89d9b6471be82ea23ac74dd09395a691047e9d288eae44bbf7057756861d80f74fd671f2322b4e1df9b941d5c2f906f13bfd5ea0114fdd0c2661

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0945a3a8baabfbd98c94a34d0b08c5d3
SHA1 1778ca5da7df70c9d9f6ec1522cf3a6c18aaca2b
SHA256 b9074ad1919ddbcc244c2ac75952dce2197d48348ce778178307960722cd0355
SHA512 190e4f2087fac20ae91eebfb81fa6ac00d597948d84939fc5d382cb99ba42b64ffcfb5c4f3136f9bb09269e155dc992facc5bd8482c6ffe58bfc2269c69c5e4c