Malware Analysis Report

2024-09-11 08:31

Sample ID 240615-b4zygaycrl
Target c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d
SHA256 c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d

Threat Level: Known bad

The file c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 01:42

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 01:42

Reported

2024-06-15 01:45

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 752 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 752 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3296 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3296 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3296 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3564 wrote to memory of 1276 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3564 wrote to memory of 1276 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3564 wrote to memory of 1276 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe

"C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a50932393ef193a9b2dad79d0fe7e452
SHA1 0f1cecfc74a888a8ccbbdc4d34382ad361a0e414
SHA256 c9b1841a2a9dc24b8ce6744c5bc7e917eadde3034f7a4e7600326af565ade08e
SHA512 3039109f0a2a8f72671b754442ae0e4e858d73dea74a3a2cf8589df346e5d7e9941c49614694aeaeed87cf398f5be665cb745274370e9b57c4bce8b8f6d347fd

C:\Windows\SysWOW64\omsecor.exe

MD5 2f7f462f26434f6cf2d510c2c0f0ac48
SHA1 9147f2435ccb385146b90ce67d01a79542878c62
SHA256 17c4e70759af3ef6e677abbd9df63aa275c9d3616dd02e63e4bb9205c0e25dd3
SHA512 db60beccec54631fc427406481d4d38b43f6637c65179094c5a2d5294ae4939301d48c4b3b4bd6f819f799378b3dcb2a35ca61bd8fe3b70a91a45eb8da49548b

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e9e8cb7d4622d418d240bcbd2b330b5b
SHA1 73baf14cd08d1f50809daade0632d09ecb6482d2
SHA256 2ae6c927273ac5246ae2d7effcc7af28b6425a2ffb27f38813902fd614a49a4c
SHA512 4e1f6504bc63686fa0b787b597d4993be05e560eb7ece3d6f72ea2253f073ad6e3e3bf06ff027618a885d971a546810d2e7e845b2a9690ee33022e210881f291

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 01:42

Reported

2024-06-15 01:45

Platform

win7-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1960 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1960 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1960 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2132 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2132 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2132 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2132 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2200 wrote to memory of 1812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 1812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 1812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 1812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe

"C:\Users\Admin\AppData\Local\Temp\c1c7f09909f6e3e69c93074eec44cc92b03db663d1465b49b71d52803848bc8d.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a50932393ef193a9b2dad79d0fe7e452
SHA1 0f1cecfc74a888a8ccbbdc4d34382ad361a0e414
SHA256 c9b1841a2a9dc24b8ce6744c5bc7e917eadde3034f7a4e7600326af565ade08e
SHA512 3039109f0a2a8f72671b754442ae0e4e858d73dea74a3a2cf8589df346e5d7e9941c49614694aeaeed87cf398f5be665cb745274370e9b57c4bce8b8f6d347fd

\Windows\SysWOW64\omsecor.exe

MD5 08f40c285018f79b94b7d0663dfa8fee
SHA1 34ef68d71d5d9e030db55847b8991e05090ae6d5
SHA256 fe77b4a5dd890d66e0453dbf913a68ece6783479aba141953a75df9705267861
SHA512 9718e614c1829f030382944f8bf9f740bf693cdd022ab59b8fac15a17bb0edbb8c3671288eb9ea0aa1360bbe26d2d9160a8bb51167eabb1633d496ee173a3406

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0100d9d631cc0198351e7b5309472d42
SHA1 a5a7e927c477ba1a69e4c7e3f3cd000d0f01bcf6
SHA256 6f36233083b916d28946bc65379410f6ded959e791c5743e1ce96be63a684a6c
SHA512 fbc97c91eac153ea11c7541c26c6bb00bc9307824667dc644b4c1b84a13e638822a6245b43135ed3bf27a099402105ff2040bb71d3c4f2c070769c65916f7cde