Analysis Overview

score

10^/10

SHA256

d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504

Threat Level: Known bad

The file d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 02:46

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 02:46

Reported

2024-06-15 02:49

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1176 wrote to memory of 4252	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1176 wrote to memory of 4252	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1176 wrote to memory of 4252	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4252 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4252 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4252 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4644 wrote to memory of 2944	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4644 wrote to memory of 2944	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4644 wrote to memory of 2944	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe

"C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	71.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	0.205.248.87.in-addr.arpa	udp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	240.197.17.2.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	31.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/1176-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	5c38addb2183118c4c5d335595614407
SHA1	28096241da4aba818550bafd7734f90e4951225b
SHA256	4533882f2dcf4319e913528fc051dd7bc42bab5af3c5a56f3872c542d6b8574f
SHA512	d88c9031fba5b7c208dc31a8680b7db7abafe165aa03387d0a1f497a2c48bdc291710bc2a6460abeb9db3324f1e6b2d59b77f8163bf6ad9cce6106a6ad4f4e42

memory/1176-4-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4252-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4252-7-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4252-12-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	2fded275d41bdbddf8e4e3c787f3b4da
SHA1	411e45480d9d35c91f8db535bd88143dd57b63ac
SHA256	88ac5be5897d0f0f5458eb08ff5e72ac2050ada8e68cd0ce2d4dfc030515c1e7
SHA512	080eeea92d1d9bd6dda6612529f969212262e73dbbc7f1c08ec7d59a626b0466449f77db4767d2ec2899238609b3f242db3aae8693678b8b11885951b7aba029

memory/4644-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4644-16-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d3f19f985078af18d3b8aaf70476defc
SHA1	6041b3dbce64582dc3e54b1404529edb29f83aee
SHA256	c7d9a938984f83996106b62e09f5949166cad9959ea3878be344a3a0866ad693
SHA512	58e043009e66393a86e107d53f1b8ca61b01b59d9282c856e8853fb2904e9e69ff28e7191aa77f624dd8dd1a53376eb3181177d7893c4f14312f9b290e5f21fd

memory/2944-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2944-20-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 02:46

Reported

2024-06-15 02:49

Platform

win7-20240611-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2768 wrote to memory of 2560	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2768 wrote to memory of 2560	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2768 wrote to memory of 2560	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2768 wrote to memory of 2560	N/A	C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2560 wrote to memory of 2972	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2560 wrote to memory of 2972	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2560 wrote to memory of 2972	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2560 wrote to memory of 2972	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2972 wrote to memory of 1920	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1920	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1920	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1920	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe

"C:\Users\Admin\AppData\Local\Temp\d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/2768-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	5c38addb2183118c4c5d335595614407
SHA1	28096241da4aba818550bafd7734f90e4951225b
SHA256	4533882f2dcf4319e913528fc051dd7bc42bab5af3c5a56f3872c542d6b8574f
SHA512	d88c9031fba5b7c208dc31a8680b7db7abafe165aa03387d0a1f497a2c48bdc291710bc2a6460abeb9db3324f1e6b2d59b77f8163bf6ad9cce6106a6ad4f4e42

memory/2768-8-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2560-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2560-12-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	85fc7721e6d1c9933eeaba6af85c0479
SHA1	0cbe94f8c7ad64b7fcdf073d242ae48cc709b29d
SHA256	f1ffe9d22663f41dd7967c75703e6923a8aa4f82603fae2185251523225be81d
SHA512	a644540f49a1d2f0d49779bf4243304fe5724491007f663f8b49b77c54499b9030f57ef2ec0707e26d6a2c996eaefee663f0ee79d4622c9755d2eb7fbdd5b99a

memory/2560-17-0x0000000000310000-0x000000000033B000-memory.dmp

memory/2560-23-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a15c855cfab82287ca0e456fbbde6da9
SHA1	ac46ef2ea8e5e3bbb11a05243d31ae5a968fa656
SHA256	a0a468a777fb9b2ad43fbcc6c72629b2fc05c28dbdc343139840e3e43bf067a2
SHA512	4e08d0b14c18cf41e5d2b9b00d514988b2c7b884c84bc4128fe0b199757b8fc6f5d69e9f6bc399408f1d7ee63b2723b110c17d5544f3263ad114ce33912d408f

memory/2972-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1920-36-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1920-37-0x0000000000400000-0x000000000042B000-memory.dmp

Sample ID	240615-c9nm3awhrc
Target	d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504
SHA256	d9ed3597f67b72e850a47e91126755ac53bd5392b484773483304ea72f24d504
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files