Malware Analysis Report

2024-09-11 08:31

Sample ID 240615-dvwwkaxenh
Target e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2
SHA256 e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2

Threat Level: Known bad

The file e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 03:20

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 03:20

Reported

2024-06-15 03:22

Platform

win7-20240221-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2832 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2832 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2832 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2832 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2784 wrote to memory of 2876 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2784 wrote to memory of 2876 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2784 wrote to memory of 2876 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2784 wrote to memory of 2876 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe

"C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 883748e9016d6657f1da8432865d4404
SHA1 18f1842affb11ffef2d46db7c436ce84ff09223c
SHA256 cd41c339038686e7b848ef3f9f6e1623758fa2e91861605e2ef297becdf8d2ba
SHA512 093ae17fbc12ba8927693545afd912df128a3413d909ad5d2638715c257b5fb8553756f467f76c2417c8fa1e5125ce942556f99b6f1bd6b722c6f845d0784384

\Windows\SysWOW64\omsecor.exe

MD5 c4d2fcde1225102c3c3d958ec76dce49
SHA1 3571f5980d168f7375d54e14327d7d2547f9ea51
SHA256 2162f0ea9bff51684ea8ecb21e134a51e271226e24cf7ccd95f8cd3e23d33bc1
SHA512 91712cd762db335ea8b1155f05b27320fbeeb8c607da2306688927d5c4258b3d6b5aa253fd59de4fba57a133d9c37935b0b1fa81adebc2a8f8ba1064bd86e2bc

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5788a0499903aabe593e471deb14db3d
SHA1 aeced32bd3f994e2e3c2f020b9fe05abd192e952
SHA256 b6b46c5b5b966b7510fa4c586428a0d9eb9eb236ae6fa1bf24efdf94e4d797ab
SHA512 9be89a33f32f6ceb83a7289737a6dd0b103451bfb9949754115da6b618e7676de6f8c4ccdff61a78e1a097a55e6ab3d0d7ce63ec39bd2e6ef446b7acac67c95d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 03:20

Reported

2024-06-15 03:22

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1648 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1648 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3628 wrote to memory of 1724 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3628 wrote to memory of 1724 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3628 wrote to memory of 1724 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe

"C:\Users\Admin\AppData\Local\Temp\e819e4a3b6f58b18df96606e9f24bd4e0709ccf2de679b0e7fb6e8a1dc5c8ef2.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 883748e9016d6657f1da8432865d4404
SHA1 18f1842affb11ffef2d46db7c436ce84ff09223c
SHA256 cd41c339038686e7b848ef3f9f6e1623758fa2e91861605e2ef297becdf8d2ba
SHA512 093ae17fbc12ba8927693545afd912df128a3413d909ad5d2638715c257b5fb8553756f467f76c2417c8fa1e5125ce942556f99b6f1bd6b722c6f845d0784384

C:\Windows\SysWOW64\omsecor.exe

MD5 c5c8affa4e596c284ef5bf052df62597
SHA1 705e20f1e9017f390bacddee47636e7f5ea6433c
SHA256 5f330f537e341f3ce14c33a5882c4e7e8cd2028ffee8a39ae402870c8ccc4ac0
SHA512 8a570ad9dc9cf542fb2f6a77e5edd66ac09e35181ef4886dbcaacbf8c6e5b18722611686227262c1cfc7d6950c16b1b6bfdbdebbbeccb6b009b864a0323e4f8f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3c1d5c26801ea2794f2cb1c1bb30aa38
SHA1 58a807c3683a061e5f37eb9afdbe7abbde626cf0
SHA256 9901c30934e48306e2677044d82e6350a08fcaf7f505907bb7b4bb0840d31b53
SHA512 506a25afd558a4c1bdef0026244a8e48b3f0643aa3778729cb1ef2b10ceaa2d27d185be2ef88489189349f42c812ff1ecb870eef76bf8045a83b66d04830d724