Malware Analysis Report

2024-09-11 08:30

Sample ID 240614-1qvt2axdnc
Target 5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c
SHA256 5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c

Threat Level: Known bad

The file 5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 21:51

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 21:51

Reported

2024-06-14 21:54

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1384 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1384 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2396 wrote to memory of 3248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2396 wrote to memory of 3248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2396 wrote to memory of 3248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe

"C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 55e9fcfa9514fda54daeaff58ed4f00f
SHA1 fe25fd10255e1125e976c1f8d825fae8385c2319
SHA256 f4840e14e86cfe26d97561c30deb35d22109c9456f16dce0d05f903957c8e6ac
SHA512 9ccdc11ff24a96feb2b8186d9f1c17c28371ace31531a9efe0f5e04090ad779e9970e797bb55165e2be6d475278bff3d85b69d0a516385061ea1e51936ba6f15

C:\Windows\SysWOW64\omsecor.exe

MD5 5a85ff148d85ffb162a18920831de6c5
SHA1 a0727b7f76c7a1116eb9e17fefab9c8c3173bee3
SHA256 502b9a1affd4e99dbf854e329a095c07bb1b244dd5353eaf60dbc9e49b6bc306
SHA512 51eb7b2e8b30862d5acda13d3f44e7897a6172d72867c46c39b1c867b1fe1873a4e56fda7d89c06768a91f7e3e11a9d05e5a258a98c43fb96bb457a3dc7e2912

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 852f5a878513d8eeb0f962c3bdc70ce0
SHA1 72035ba14875f92b974466abb1a7ced38577b6c5
SHA256 b1a8dc44584219327e5948f5be305d73d99aac90cccd7164f6656704a37aab61
SHA512 46e9c3e3c33a56ea7405ff6adf15f3576738c8bf4dfb4d5c98d3ae9799e3edde704e55ff67c064c6b045e73658cc62420e5de114084ffe8cf432694ecd5138b2

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 21:51

Reported

2024-06-14 21:54

Platform

win7-20240611-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2232 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2232 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2232 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2832 wrote to memory of 2896 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2832 wrote to memory of 2896 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2832 wrote to memory of 2896 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2832 wrote to memory of 2896 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe

"C:\Users\Admin\AppData\Local\Temp\5b2c969513f12f3dff502e2f097b8bce807602e03b1983dc4e1244d8a38bf84c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 55e9fcfa9514fda54daeaff58ed4f00f
SHA1 fe25fd10255e1125e976c1f8d825fae8385c2319
SHA256 f4840e14e86cfe26d97561c30deb35d22109c9456f16dce0d05f903957c8e6ac
SHA512 9ccdc11ff24a96feb2b8186d9f1c17c28371ace31531a9efe0f5e04090ad779e9970e797bb55165e2be6d475278bff3d85b69d0a516385061ea1e51936ba6f15

\Windows\SysWOW64\omsecor.exe

MD5 13a121717c1b4a16fb67c4b732d2e39f
SHA1 fd154ce01f48c11ee029da28dfa4b9f424c9d49f
SHA256 4e684610cad5558cd22f8baaed910c52214ec5f8ae21f83e926c07b37072f3f0
SHA512 a66701fde967221d11dedb2f2accdedb84984e851e9943bbf6bdf6729cc83e0f183ddbbcea89fa68d5b25596c1d5a3da70898a05cf8cd88cf032676c7a1071c7

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ff776725de8d503258123bfbab0b4d41
SHA1 556b85eac8d57357b233bb6d32a49465807302ef
SHA256 222ebba031f9d6c2b820b110f04a7592d011a21a709bf54bd5cf3e6a09a53f9e
SHA512 587137eb4097156e680794375a595096c0921e50d95480df3bb5c2c59e31bfd71443dee862c408596374603db2106e3b90b4e6face8a400b0c5a15d76d6046cd