Malware Analysis Report

2024-09-11 08:18

Sample ID 240616-wpqrga1dpg
Target 0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf
SHA256 0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf

Threat Level: Known bad

The file 0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 18:06

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 18:06

Reported

2024-06-16 18:08

Platform

win7-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1740 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1740 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1740 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2260 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2260 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2260 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2260 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1696 wrote to memory of 2272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe

"C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a51bff148e36273188a45a144a728522
SHA1 46e67da787e33baa402e3c910c710001677b7d37
SHA256 8cda2b7e4aad246a91b75eaead0b91d259e7ea6408e331b2958d66aba9381a43
SHA512 61871d83f526b4e465568d0563e63ebd09d9be3dd445bcbe24a43b7f42d459158d9b0cd0b74f5c1a086399e609c65f28284ec49bd07adc90c7eac98e3709da0e

\Windows\SysWOW64\omsecor.exe

MD5 feac5f768d5ba41626f6886f5a985809
SHA1 ff50079fdfb6eed3619c815026819b2034bf71ec
SHA256 9de701aceae87e0a70e23a1c3b3b5b18637655c957aa6ce04f75f83226310db5
SHA512 5e64845bcdb22760408a50ce034957ad69af6301c5c68d7b3b77f0327adc62dcdda6b7deda09c96aaa06bfad9cac1739e541feb2066c57e9b19312a30d642107

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 98b46f3f100bb231e8cf77cda878bb17
SHA1 15a37f7b37ace7931ad0314ffbc27d0a9024755b
SHA256 01ed2046c55321280976e3bfd82c369cbd48b56ea2b118a56844277825b2e2ce
SHA512 5779633760285e3caff0e3e94306bed1d4c676c199c7e53c6a4825f3595bab0e482f3a80d07465491e686cb81e4d5e2e5b92257886e8e3fc3c11407387e3521b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 18:06

Reported

2024-06-16 18:08

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3392 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3392 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2592 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2592 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2592 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1492 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe

"C:\Users\Admin\AppData\Local\Temp\0049a22ff1301969983ff3bfdfd4d5c7ffae7596aa9e189c9c162b37ae44fecf.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a51bff148e36273188a45a144a728522
SHA1 46e67da787e33baa402e3c910c710001677b7d37
SHA256 8cda2b7e4aad246a91b75eaead0b91d259e7ea6408e331b2958d66aba9381a43
SHA512 61871d83f526b4e465568d0563e63ebd09d9be3dd445bcbe24a43b7f42d459158d9b0cd0b74f5c1a086399e609c65f28284ec49bd07adc90c7eac98e3709da0e

C:\Windows\SysWOW64\omsecor.exe

MD5 9e6c007b7fda26a307703b437ea71c10
SHA1 0393de8cb98aa905a29dafc432daf164dbdd43bb
SHA256 0244ff827ea1f891e91f65ad2d15777960460929940c62588837210390c72a7a
SHA512 a0cafcff985a6967ae194bb79aad9d2639f866bcf7eeb59ae86acb4c52c210dab6d5ff794bd1747449dc74c342ddc18a27be6ba2f5abfe7cc2de4d8f574a93e2

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 19b56be2c4d6821c8da294625ed85c74
SHA1 20d6036d9932760adac5382c669cdd099a816252
SHA256 443e536091d430bf6893c24514d04ed4ec6c7affe571655fd51d0dfbbcdd90a1
SHA512 1ffedd8fe10e623d00f2d0fede3b5f1e11e1dd128d6e1657da809196aa507444eae9144669f5abbf7be3fbf92e9e1ef2a3e0415cd9ec19a100c299e41261f9c1