Malware Analysis Report

2024-09-11 08:30

Sample ID 240616-zebrcawhqh
Target 4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535
SHA256 4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535

Threat Level: Known bad

The file 4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 20:37

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 20:37

Reported

2024-06-16 20:39

Platform

win7-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1876 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1876 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1876 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2136 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2136 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2136 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2136 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2740 wrote to memory of 1540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2740 wrote to memory of 1540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2740 wrote to memory of 1540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2740 wrote to memory of 1540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe

"C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ac83df0ef24d61bc6fba52d0ff556165
SHA1 90a8bae1815124dd4a06320fd21e8ba06f34fa13
SHA256 68bcc0111f1e41bb75f08559ae5dd6b217b154db9df33d61c0eac353bd93d767
SHA512 0f0574054822d2259e991687f8f643d943f727ebe43c769df42350fcf787fcd3a529d2e73f0c49b4a78af58d8ad4e6591506f432d79c74f899bdddaf72722dec

\Windows\SysWOW64\omsecor.exe

MD5 f6315ff360a26b3cb3ea60aeb5b041b8
SHA1 bc1683cb695017265b33f8ca018356b929d34fcb
SHA256 1103f574140f584ff6fafd3b1bc94457c606a00b67f593dbb208ba5cd8e257ca
SHA512 59ef2421138ba54bb44038497363156eea35e1ff20a3db4d8ae1d0666fdd49e27094d78f3eb58055c17f386378fd7754691501ed6f8a3c17dd9eeef80814933b

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 234bdffaebd4221828e0d56ec713927c
SHA1 c0715289e5a8311eda9571c3448331f625f009ae
SHA256 3f2690eee9575d97b75c68195d371cc3c23b0fd31f121cb9c363a277cd3728c5
SHA512 42bb97751cbecbbb48b9304360e664cdfabb347eaa74ee211661f4f8764dd88ac7a20c2abde6fdaa18fc4983e0abea88579ed9b70f3dac1d9b34c482a5821eae

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 20:37

Reported

2024-06-16 20:39

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1500 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1500 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1416 wrote to memory of 236 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1416 wrote to memory of 236 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1416 wrote to memory of 236 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 236 wrote to memory of 756 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 236 wrote to memory of 756 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 236 wrote to memory of 756 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe

"C:\Users\Admin\AppData\Local\Temp\4118997dd4f8ca7d1be16eb5ebf2c83689dac2999fe0e3d17b0be04eb7157535.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ac83df0ef24d61bc6fba52d0ff556165
SHA1 90a8bae1815124dd4a06320fd21e8ba06f34fa13
SHA256 68bcc0111f1e41bb75f08559ae5dd6b217b154db9df33d61c0eac353bd93d767
SHA512 0f0574054822d2259e991687f8f643d943f727ebe43c769df42350fcf787fcd3a529d2e73f0c49b4a78af58d8ad4e6591506f432d79c74f899bdddaf72722dec

C:\Windows\SysWOW64\omsecor.exe

MD5 af102cf3c79cde023b7a61c7800b1ec0
SHA1 678f30d0447ea17370879fcc056136e5049d6ce2
SHA256 98fcf0656a5cb2aae829f05d40989f74a4e7e90698fa581a15aa54f136b89389
SHA512 950e0a1b45f04d6889dd2ed76c96a816cdf38a866465238fcc6fc10b0bb5619e8134e70421a6a882d574e21d8ad723ec691e1f957934b476a49cbc9483d45319

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b05790d54ae59bc301bd7f6714841f18
SHA1 1ccac2257944a22b3dbab0a4daf156056543ea6a
SHA256 028b0fc81ae7d8616a8c9001af8f7d5f74b03a805fe22ab863c7dae65da02867
SHA512 f408a46903930fa297ba2365a841634cf184a82cfdd264e5d2618d665023ca09f0957e943f3c68a8b0ce124ca4fd7ea52e439370943507546bcef7722ad64f4e