Malware Analysis Report

2024-09-11 08:31

Sample ID 240615-26yrasydmb
Target 7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44
SHA256 7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44

Threat Level: Known bad

The file 7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 23:12

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 23:12

Reported

2024-06-15 23:14

Platform

win7-20240611-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1408 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1408 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1408 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1184 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3052 wrote to memory of 1912 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3052 wrote to memory of 1912 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3052 wrote to memory of 1912 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3052 wrote to memory of 1912 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe

"C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 37e3b1b693dd6e3cdf4bbfaff90e6f04
SHA1 72a0d46993a4ea2bea9744785821467eb67235fe
SHA256 237530d0e773f91d0ba33efb17c9ab8453117950f04dfb54c727957dd45fc834
SHA512 45663bbe3a455bde16e6561c4264d706ec8e0c9569773afffb284bee7e1bf9e8599d5f58ae30a664bc56f99bdc623810f1b908c598798d1b4402b00d08ebb7cb

\Windows\SysWOW64\omsecor.exe

MD5 9295b1ed9a751fd408b57162dd1be647
SHA1 1ff8e6d20fecdef60460124082258bdd4192933d
SHA256 aa99fcbee8bda4e00d09539bf5b85f36e7bfc817d6dad33a4461e3d9e5dd54ca
SHA512 4bcfdd251493188cf925e04806ddd94f963ab1a9bd2988f52a1941ef288540c6df044c528c947987a0fc95e303e5f818295ed44c3b93036f9149f069012f3c26

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dd8363a2debd6e2bda110b433e19df93
SHA1 02a3de1df7231c1d421d6571ac33dfdee26e492f
SHA256 7b42d4484cbe674677f1e7d0e8d93b4a2c9f24247b84e766486c2b7ab6d00fa3
SHA512 bbf393aab30d65d21dc0bfdd6beb11e725206b40af236d410a8e5d495eb53dda73e46758ed745300215b5e0e3f53848491062f06a86bed30c6b0208a19337e57

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 23:12

Reported

2024-06-15 23:14

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4368 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4368 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4368 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3892 wrote to memory of 3056 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3892 wrote to memory of 3056 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3892 wrote to memory of 3056 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe

"C:\Users\Admin\AppData\Local\Temp\7abf9a89ecea25fbc2196a2a86c847ddbdffd0118500280cf944e07ac5386c44.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 37e3b1b693dd6e3cdf4bbfaff90e6f04
SHA1 72a0d46993a4ea2bea9744785821467eb67235fe
SHA256 237530d0e773f91d0ba33efb17c9ab8453117950f04dfb54c727957dd45fc834
SHA512 45663bbe3a455bde16e6561c4264d706ec8e0c9569773afffb284bee7e1bf9e8599d5f58ae30a664bc56f99bdc623810f1b908c598798d1b4402b00d08ebb7cb

C:\Windows\SysWOW64\omsecor.exe

MD5 1a64805f89b474f1b0156981dce317e1
SHA1 1d895714a5bd8e477bb29b686011064797dec170
SHA256 d835b57ad5a8a4842ecfbb6342f577b7230077c13bdbf825045c56a3e3e7d56c
SHA512 9cf30f2b09eede169a6f070df55b95521d56bf2855eb57b39e33fdc404dbe80820775e803ccdf102ed021f34de2f3c45730f7304152fe32b14895b928de6c0f8

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1270ff441911dc89cb10021a2f50ef01
SHA1 658511b1dad48b4f692e2a24dea443a878710820
SHA256 29ffa3e1565e24e154cc44973b111dae6daf00eca6abeb122e75067c0ac7fc69
SHA512 35300fbb9a64f3ac20372e26412ec64ffbdab562b058f0c3521adaeb338fe411e0738a7313febff9cff1c18d349a9a71a1fa3c24656a605439d6e9eba255d8e2