Malware Analysis Report

2024-09-11 08:32

Sample ID 240612-dn2hgazbpj
Target b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c
SHA256 b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c

Threat Level: Known bad

The file b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 03:10

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 03:10

Reported

2024-06-12 03:12

Platform

win7-20240611-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1040 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1040 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1040 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3064 wrote to memory of 1644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3064 wrote to memory of 1644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3064 wrote to memory of 1644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3064 wrote to memory of 1644 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe

"C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4c2193adcba1ca9a724045993409e85b
SHA1 54952c321758451c6b69dcb19db340114413d053
SHA256 1eb4215b0240609320dfac408ad0c084da84af4b671834c5c827127ffc716d06
SHA512 e3b867ac1c9908785e8a28750ac3150638d0f5a28c93ee7319a5c92588c6395066524af8f8dc563dcd598f4b16690a58f79baa8746c1507c5c0fb14822584003

\Windows\SysWOW64\omsecor.exe

MD5 a023f5d29a24e92688cf8dcf5e8120b2
SHA1 03aa78a0f24bcdc96bf0e3dc68a16c08352df28b
SHA256 094f7e4d6ad3a5c352a24ac4c38cf68dc1e4e224ad827f4c2b0e1c1944f76a26
SHA512 528536b27d42906f68ec7e813c925a944ae140def4ee4aa0ac61f745e54ab6da60288549f00edd5ac949a98cccf3ccd27fb862165d412006f5a23b37be962feb

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d30dd253a68b489eab38098de0052f05
SHA1 614841f2ec7c2140c4afea0dea2fd08c9a70f851
SHA256 cd93406ebcc34b6670e5acca69888af58976326e09cb65d55cbe8774eb72aec2
SHA512 bf54c0df72b9bcea658fa3b2a4a9aae6959c379a1ffd5dfa98dbb1d10b10ec891b06ab3b65eb4260f577d460fabc89caaf963ded96e027984186641313e218ff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 03:10

Reported

2024-06-12 03:12

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4148 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4148 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4148 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3960 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3960 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3960 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3464 wrote to memory of 5036 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3464 wrote to memory of 5036 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3464 wrote to memory of 5036 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe

"C:\Users\Admin\AppData\Local\Temp\b67be13e56520bb0c2765c2595b0a36f770d9770d4aec59b15763bf1cefc765c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4c2193adcba1ca9a724045993409e85b
SHA1 54952c321758451c6b69dcb19db340114413d053
SHA256 1eb4215b0240609320dfac408ad0c084da84af4b671834c5c827127ffc716d06
SHA512 e3b867ac1c9908785e8a28750ac3150638d0f5a28c93ee7319a5c92588c6395066524af8f8dc563dcd598f4b16690a58f79baa8746c1507c5c0fb14822584003

C:\Windows\SysWOW64\omsecor.exe

MD5 8730bddf9ab97015d6e7d4195252e3e4
SHA1 5fc186256d8cf7bc3804eb674a1328e90590e94b
SHA256 ea6cde6a0e7abb6c6f1b98f846b70695ed3bd29dcbe7028416ea5dfd4c0c11b7
SHA512 b7c67cf90aafe8e4af7a71fd4b9c3d3bb3453473d1defd56e7e3783e79d98ea0501135118b4a656ea6097c2b6160cc2695cf79ade171b5b449ac0b1c6b43ae35

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5eb52ebef2cbe163e3f6f77bf25bfbd2
SHA1 491b69a87c3f6c6c7b8028b94ac59179a07b7461
SHA256 8e0057520ad32bba289997c434cb6de5e60acf90101bee6302ba401fb5670ce3
SHA512 da8a521d396daaa4486c6ba369c5eca70df7a20298935beece43a6a8075ca086bdae0033dca241a2f06e2dd8a00e18446826fdecdc1053bbde83432c36affc65