Malware Analysis Report

2024-09-11 08:32

Sample ID 240612-dnjyeszbnl
Target b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4
SHA256 b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4

Threat Level: Known bad

The file b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 03:09

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 03:09

Reported

2024-06-12 03:11

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1964 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1964 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1964 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1964 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1800 wrote to memory of 776 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1800 wrote to memory of 776 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1800 wrote to memory of 776 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1800 wrote to memory of 776 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe

"C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d7bc774ccecf115f1f8a80eedcbffefd
SHA1 f2920b8b753db396eca407221341d65e8bf9da6a
SHA256 0ac0ed0864e01c192f937d660fe8afb041a08a31991f6546815bf08d3e24a35a
SHA512 9193848d21c9fa3bbbae83ba2402d153ccde85ae6f6791a2b93d630b7db52e64ab88da559ee2c26dfd39030ba4b5d7b15bb11694ad5d043f15e717540b148fd8

\Windows\SysWOW64\omsecor.exe

MD5 4b175d6086345f1137f4faf70ddcd7ca
SHA1 a221d62a8719ee2092c87140626f8c4bc15de2b8
SHA256 abd302ec5830b7886db7b7ca37aec19b513f8010f5f75fc9dc105794a9cde5f1
SHA512 2acfefe8a93232d429b1b119060938187846b429a115b1b3709eba69f5a380f1cb7bc3490db4555c62c3a64c5a0d40144ddffdc5c5c4351d77836f6aba6cfe27

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5d1759f1b61ca1bb49eb743df9a08519
SHA1 dcd213bf5a9c438dabea9def23dafaf54b41b4fd
SHA256 807fb830c79a874b635aa402285b49b1f38b5327d15a8c92641e729e03dc874c
SHA512 e74727a218279d3201d8131691fc448c0f09bacaca0698ee44ea090b83df06de6c4a4d4bc766968942e4cf4ef909d64d39ea4df2f409e565fa5b3a691eff0602

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 03:09

Reported

2024-06-12 03:11

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 636 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 636 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3448 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3448 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3448 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3596 wrote to memory of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3596 wrote to memory of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3596 wrote to memory of 3460 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe

"C:\Users\Admin\AppData\Local\Temp\b642a05e6f680de8c78b60295f26bf7557e8096f2d723a15dfb620bd48b461d4.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d7bc774ccecf115f1f8a80eedcbffefd
SHA1 f2920b8b753db396eca407221341d65e8bf9da6a
SHA256 0ac0ed0864e01c192f937d660fe8afb041a08a31991f6546815bf08d3e24a35a
SHA512 9193848d21c9fa3bbbae83ba2402d153ccde85ae6f6791a2b93d630b7db52e64ab88da559ee2c26dfd39030ba4b5d7b15bb11694ad5d043f15e717540b148fd8

C:\Windows\SysWOW64\omsecor.exe

MD5 db2c78f9bf4cc2c7e726c89b9a826171
SHA1 babf2be020e2e3708b539120108cc0b437fa665c
SHA256 c70e06d63d5af26285c3fa7253450878e871a0e3601a7a331e3c4a661bb329a8
SHA512 248ede3f59d7df491bd4109612246d891d14677e123ac8655d0c5db7620e71fd0f024ca95086c00ce39eec0f3d097a6f280cd44e818475e49c1f29aa54d74ef2

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fc5c6a99ff1ab2b24ed1dc90cc26b1d7
SHA1 3687166ce302ea2aca7dac792a437caca06c7109
SHA256 aad4e4b55593985cba479d99f52c6653cbc072fbaf07c5723c049fc4026ded8f
SHA512 c91513c00a3c28921cbf6faaffaf9e17a4616e9b5dc1e317290712312158330af925b4a5a5a546c34631ff1abfd78c8daf67fedcb697a51a1118700f854a5aff