Analysis Overview

score

10^/10

SHA256

a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52

Threat Level: Known bad

The file a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:09

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:09

Reported

2024-06-14 02:12

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2232 wrote to memory of 1004	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 1004	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 1004	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 1004	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1004 wrote to memory of 1632	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1004 wrote to memory of 1632	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1004 wrote to memory of 1632	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1004 wrote to memory of 1632	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1632 wrote to memory of 296	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 296	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 296	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1632 wrote to memory of 296	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe

"C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	90bb1f258cd7a6be665ee434224380ae
SHA1	4b3726e735b1cae54b66cc4ae8b1101288a2a85f
SHA256	2969d19775eaaa6336243da9dc6aa8758cf7ff0fa9b31d0d677473a033909666
SHA512	d14503b5f2ad6ed2b08ab00171104a0bd635d4998d7290ab0746d7138a014b587409f8bda96a720e303f3fb497372bfa73298be579a972c183dbea5309a753c6

\Windows\SysWOW64\omsecor.exe

MD5	cc05888f40ddf4875174487c7f267d8e
SHA1	e99e90003a4b41b5a3b236643f187c05d7385193
SHA256	c91e383b778af0e50ce0d5558c4a7adc5b3e5c018483150698b80131249c552d
SHA512	3d7f0ef3c72163af2c857ccc8fcb3a47aa0e164c01aba4da9aa7e8759e0be3dc604bc022ef24e699a7e806f86bd0d8c392bbf1ff81367ab7eb9b73c479e0f5d2

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	c5e91e3c8cd1ac6e64ef371c1da92a40
SHA1	6e566ff5cd8b2630b464a41fac968e9a1f90a324
SHA256	fc6a0ef188b003a801be3cd07dd9e2f0be3011805520ad4981c8f7f80cdc56a7
SHA512	7a2d2734ce8a102a5439f7b0f901e75797cc412d933920b3eb8cbc27a0119bc62e45a2ed2e3e019904058bc0d9031539b667f3b8cd3298b4c1069e8fac1efb8b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:09

Reported

2024-06-14 02:12

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3536 wrote to memory of 4176	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3536 wrote to memory of 4176	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3536 wrote to memory of 4176	N/A	C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4176 wrote to memory of 4512	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4176 wrote to memory of 4512	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4176 wrote to memory of 4512	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4512 wrote to memory of 1452	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4512 wrote to memory of 1452	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4512 wrote to memory of 1452	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe

"C:\Users\Admin\AppData\Local\Temp\a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	0.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	83.210.23.2.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	21.236.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53		udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	90bb1f258cd7a6be665ee434224380ae
SHA1	4b3726e735b1cae54b66cc4ae8b1101288a2a85f
SHA256	2969d19775eaaa6336243da9dc6aa8758cf7ff0fa9b31d0d677473a033909666
SHA512	d14503b5f2ad6ed2b08ab00171104a0bd635d4998d7290ab0746d7138a014b587409f8bda96a720e303f3fb497372bfa73298be579a972c183dbea5309a753c6

C:\Windows\SysWOW64\omsecor.exe

MD5	b3cf6fd6e159ae43077c05594f5beba2
SHA1	73c5d5563e5d7c62287c51d0a67cc5f92e6dfcb7
SHA256	2d23554e9b757f142774fa738fc03917622deed8cbf9d49622f1ddb65991869e
SHA512	2e16e41be3abbe9d84deb7df0b0fcc3ce0dd1e82c38f607ff078593d1ba1a97d494008cce5704e05abec609f5ec0e67315314568b180d67db25e9e41b79ada0a

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	c1dbeda86d44b12fc1199d439103dd8e
SHA1	4b9ae524a7c1aa7f11c0fc63fe3144bc82e2d410
SHA256	c3864f56d29e09519af53f2e2b3144fca851f2f266847c8e8099098b76267e1c
SHA512	13c28b939a2416aa798a80f2aa49e987cf5a7194908b06e839c804cb9f4554a307e81bf04b860664f7295c42ab07c31e0592144a7555fb445d9e2edc96f04def

Sample ID	240614-clfbsa1gjc
Target	a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52
SHA256	a4b7b70b791d631931dc8182df08d66877f04c609cc1cf4575fb0b34ad5eeb52
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files