Analysis Overview

score

10^/10

SHA256

9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8

Threat Level: Known bad

The file 9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:53

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:53

Reported

2024-06-14 01:55

Platform

win7-20240419-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3012 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3012 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3012 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3012 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 2364	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 2364	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 2364	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 2364	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2364 wrote to memory of 2376	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2376	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2376	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2376	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe

"C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d31df0f6138a0d3a206dcc92eb6bd72f
SHA1	83d66d145bf33e00c7f8e35ba4f3dabf93574c4e
SHA256	99d3af30b6dc9f6dc87a261487b3c4c100c62e8570544c5a6372b4acc4e1de66
SHA512	2551c2190e4a5c387be28f98f62a13510ab1fb38c11d40cc7151043739457d5c9502ad49b66a4bde5ecd3efb39b1d8011e8289e9cdab63980844624d111e571f

\Windows\SysWOW64\omsecor.exe

MD5	2eac5fd052e15ea8bfdf99e600734755
SHA1	d0b4ccad08bb2ad739a2a638890e66c7b2f33237
SHA256	2d4f5cfac96f3a23e2704ec8c9ed8297354a826e18c762877f5b714ecc146eaf
SHA512	24ae5e7217ab0ca14635a91ff99472caddb0f06434560075441042121e0c28ccdf6be48456a9627f3c59306540775b0e2191ea2a2af8b1db1e04b1d819aa6f98

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	87d8816eb0d04073f5dc94f0fcd3183d
SHA1	6ebe489d2dd56d49cd7ecc195a22ba4d93808473
SHA256	9100d445f871ceb9e53f0288816bd2a22c51d39fbe22b10876012e1f8ae5d71d
SHA512	c5d2174615e7da88352990436ed57dc247d76d378857ab87b582cffd1218c0c9b8e05f13707e685e8298ef7b7a94282daf9f754c1deae42635e879bd15e39b67

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:53

Reported

2024-06-14 01:55

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1044 wrote to memory of 5068	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1044 wrote to memory of 5068	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1044 wrote to memory of 5068	N/A	C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5068 wrote to memory of 844	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 5068 wrote to memory of 844	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 5068 wrote to memory of 844	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 844 wrote to memory of 1192	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 844 wrote to memory of 1192	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 844 wrote to memory of 1192	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe

"C:\Users\Admin\AppData\Local\Temp\9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	71.31.126.40.in-addr.arpa	udp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d31df0f6138a0d3a206dcc92eb6bd72f
SHA1	83d66d145bf33e00c7f8e35ba4f3dabf93574c4e
SHA256	99d3af30b6dc9f6dc87a261487b3c4c100c62e8570544c5a6372b4acc4e1de66
SHA512	2551c2190e4a5c387be28f98f62a13510ab1fb38c11d40cc7151043739457d5c9502ad49b66a4bde5ecd3efb39b1d8011e8289e9cdab63980844624d111e571f

C:\Windows\SysWOW64\omsecor.exe

MD5	7f7b7678c9157678fa99254e6233fbe4
SHA1	e6ae80b5c07cf28b8007563dbc2390aa9b2113ac
SHA256	2b660c5084e810d9463e8bb7e42e05c018c96af1c0220a3d769993806cdd61fe
SHA512	fdbd614ff0cba0f06e1a65c6ac8a669a735fbf5cd4b576117c47b9e34735573f0aba18ba7ea8ec81aabc946e6a0186ba7f335b5800f89265ddce40cf6cf3b805

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	f2352a56ae0be3c707b6dbd1893b5fcc
SHA1	11539f28421d1371fe81d2332d0349490140b309
SHA256	0bf7d7eeaced2da9e8534fdc5604e308d10d66e2a3f47c3b85000cd540cb5910
SHA512	79793a54fc18ab30e8cabb443b21d0d1ab559023d632e893c968653b5adb6edc3f0c5ccf662a3c3520eb207287c112390cc2c2fad81eafdc7c6294c404792a10

Sample ID	240614-cazw2s1bqh
Target	9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8
SHA256	9d031ae544e7e74b5cf556e8661bce02d34cb2dff8c27ea1a3e9c57260baa1a8
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:32

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files