Analysis Overview

score

10^/10

SHA256

060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73

Threat Level: Known bad

The file 060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 18:21

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 18:21

Reported

2024-06-14 18:24

Platform

win7-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1424 wrote to memory of 2428	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1424 wrote to memory of 2428	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1424 wrote to memory of 2428	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1424 wrote to memory of 2428	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2428 wrote to memory of 344	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2428 wrote to memory of 344	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2428 wrote to memory of 344	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2428 wrote to memory of 344	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 344 wrote to memory of 760	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 344 wrote to memory of 760	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 344 wrote to memory of 760	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 344 wrote to memory of 760	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe

"C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

memory/1424-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	0b1dc4807a2382706d600df9e76d0c84
SHA1	b3b59340ed7c305e771e39679899bdb331d9271c
SHA256	e9e39e59b400a27f56c528dc55421662ca70abdb220837bdcb8eee3d9d5693f8
SHA512	aad3ba27f742e04aeaf1fb1d06fd187b2497ffcb9b21f96edf2b5b05b8a4c62f71785eb36063a0e94e267cee4d65aa074b0bc7afbd6459431c8a2ed8d0ffeabb

memory/1424-10-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1424-9-0x0000000000220000-0x000000000024B000-memory.dmp

memory/1424-3-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2428-13-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	c0cc69ce9ad2929796eccc8cbc62005b
SHA1	36ff5cfd64c7402eb7e438fa7565ff82d184d534
SHA256	c35978b611cfaf3da21d662b4335e2c18d7115ad0fa10c5d6903feeac2fc4a87
SHA512	532625f9d7815ddf6601bd04a84f7c25b1f769b2b04f1cbad1a0c83e2d3c59a601ef0df552289809abba1ea900810d3d78e364e4ba0c56a779427cdf351881b1

memory/2428-21-0x0000000000400000-0x000000000042B000-memory.dmp

memory/344-23-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	dde95de95d2bb45b145f445b0d389043
SHA1	982ca8af1f461020f343b490528b0d14b229bea1
SHA256	34de59083a1dfe035b80f3215354447bc8d9ec9d34b5e52f4950b666b97290eb
SHA512	3f2f51c45f31d42cb16bf12acec6fdf44b4c5e3e42635473ff6e14fcf40972eaf9b6a45163511ed050a4bb82d8e4b79dbee8411bf955a20c0f33aa8dc6fb5cae

memory/344-32-0x0000000000400000-0x000000000042B000-memory.dmp

memory/760-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/760-36-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 18:21

Reported

2024-06-14 18:24

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2460 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 3952	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3020 wrote to memory of 3952	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3020 wrote to memory of 3952	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3952 wrote to memory of 5048	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 5048	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3952 wrote to memory of 5048	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe

"C:\Users\Admin\AppData\Local\Temp\060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	137.126.19.2.in-addr.arpa	udp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	31.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/2460-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	0b1dc4807a2382706d600df9e76d0c84
SHA1	b3b59340ed7c305e771e39679899bdb331d9271c
SHA256	e9e39e59b400a27f56c528dc55421662ca70abdb220837bdcb8eee3d9d5693f8
SHA512	aad3ba27f742e04aeaf1fb1d06fd187b2497ffcb9b21f96edf2b5b05b8a4c62f71785eb36063a0e94e267cee4d65aa074b0bc7afbd6459431c8a2ed8d0ffeabb

memory/2460-4-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3020-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3020-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	5b34fbc42c27ec5bdf30d1977b72965d
SHA1	85984a01fe90f6b67d9b10691b8ea90004498707
SHA256	eac64982fb1013a8b238418c82e4d1646382923cdb5e4fd41ce712aea17223e5
SHA512	4974632c73268ab28422f5ffb12cbe0c7ae60d65ea69cde08801c6225254f0c1f3ad7a0d7847e3dd28d07efaa45d2a475ad2f6baab5b42599b164047e10eaa39

memory/3952-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3020-11-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	7db0378c8092c49ba7c55491ae77b869
SHA1	da794c00e110202bb342afae9793dc060bec3406
SHA256	a6d228e2569f1570eea8ca94897cdb2b075ab274e9dffd8a793ede395dfe4149
SHA512	84fe64766da80863332dd54b9c6a346624b8b16ad01f28965114915cbe416201a2085f490069dc57fcb69ba125fc1ec42f2b871c87683a9015e1acbe97bc7171

memory/3952-17-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5048-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5048-20-0x0000000000400000-0x000000000042B000-memory.dmp

Sample ID	240614-wzkcfavhpj
Target	060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73
SHA256	060ae60cdd9998990292517d27b6f17f6f3681c88317bdc54cf0c7c685b99d73
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files