Malware Analysis Report

2024-09-11 08:18

Sample ID 240614-14w91ssajl
Target 657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33
SHA256 657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33

Threat Level: Known bad

The file 657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:12

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:12

Reported

2024-06-14 22:15

Platform

win7-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1284 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 948 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 948 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 948 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 948 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2084 wrote to memory of 2924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 2924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 2924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 2924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe

"C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a767f281aa92d1683c0ce1880f0bf983
SHA1 fc0c644179a6b26f985aeb0508a68cdb9ed4035b
SHA256 396e7567bf69b54477a92a51a3f80ef06efc31f32fa795a4b5d0836e67fe6806
SHA512 31ab7338cf6cb2ea4303119627316a5394a856542b3ae23f98ad0bc4daf1afca37b9ed395e03e5581d7277f1579d997eef1a3d9664151dd6b0c892bf9d0a642f

\Windows\SysWOW64\omsecor.exe

MD5 c78e6618b0286d5c47b11cf5d6780c17
SHA1 01b30b9e3a8435cfcc354e9b826dc118111a0962
SHA256 d9be523d715d6290fce4c67ac4902a0021bbaf688e3d049889f62ff263b8980f
SHA512 7481784e03a01938710da8cc54f8ed7c1827a0ba29a2b8cdfd478d4de9dcfd42be71aa1a58e8853aa1d424e2b0026c4c6ffa29241213567a789177f626cdba95

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 87996ac7e94566f716612b5bcdedb520
SHA1 6ab790a6f07d47805011bb65d108d21f681e1dd3
SHA256 582d3b805c24a8065c69be27c8080910d8e66fdd018f4c3cd22408caf4441617
SHA512 420d9d8454437302e27163035cfcffb910d21ed2ca0cd63da0a7468ea1f8431a76882db282f377a6f63ea97e38debe9f18fe151197d8bc4a2b4de1e0bf5eae86

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 22:12

Reported

2024-06-14 22:15

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4804 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4804 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 116 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 116 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4544 wrote to memory of 1828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4544 wrote to memory of 1828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4544 wrote to memory of 1828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe

"C:\Users\Admin\AppData\Local\Temp\657b45635a1a03280ef5bfeb2b11e3c1e4cabb589a6debde60c6cc6782c82f33.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a767f281aa92d1683c0ce1880f0bf983
SHA1 fc0c644179a6b26f985aeb0508a68cdb9ed4035b
SHA256 396e7567bf69b54477a92a51a3f80ef06efc31f32fa795a4b5d0836e67fe6806
SHA512 31ab7338cf6cb2ea4303119627316a5394a856542b3ae23f98ad0bc4daf1afca37b9ed395e03e5581d7277f1579d997eef1a3d9664151dd6b0c892bf9d0a642f

C:\Windows\SysWOW64\omsecor.exe

MD5 4afe3d65bf5fba3d6fd1e59b03a98795
SHA1 252a7f720b3da4c6aba202a27e99bf12e6e7ea51
SHA256 682517bc9d63147ca9d113a9dccd729bdfb7983c4520a236730ed7ba2d94d6d6
SHA512 e75b517af97713d557c8b547ec0ca7cae332cf91d86540d1187021e6bbd426dee836fd90d2f247325c88f212c0086e76cf90f6a706d3d6118c92a970837b6a5f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 50ad4632871465e35ca6b3b322a95863
SHA1 355cf5d7562217c7edfc5515b376de4e25c65a8c
SHA256 e0db9c79c3643c01c61fdf5529d4c0fae152e9c13365d9b3936d35639f81e8bc
SHA512 ac8773bd1f49a8e8a69dd759d751fce24fa532d50693d8969ffaee4816f6b3e1533981ef1459d1ebcd7ad818e17d725e0761d64718ba43fc842dc73b309efc25