Analysis Overview

score

10^/10

SHA256

b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc

Threat Level: Known bad

The file b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:19

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:19

Reported

2024-06-17 01:21

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1132 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1132 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1132 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1132 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 3000	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 3000	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 3000	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 3000	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3000 wrote to memory of 2080	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3000 wrote to memory of 2080	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3000 wrote to memory of 2080	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3000 wrote to memory of 2080	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe

"C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d36dff17d76abe1a517ba3df0f715775
SHA1	a08725a95898191179da4a07abfb2d9cf9e295ea
SHA256	380fd09e64145dcf468b47726f90be7ebd5dbe3344cb072d66ba1220364f865c
SHA512	849c416ebc68e49c8bd0145445163a857d2d0d9d19d048b96be6e28197d3125129f3bd0719d77a546b69e06324f518bf409c55d7ca9972f87254476ed75153a8

\Windows\SysWOW64\omsecor.exe

MD5	d55ea456183b06669d30292dab2b2116
SHA1	31a8ffa06880a437fc59ec01fa984d15c486d7a2
SHA256	739d31930495e6aaaa390ebf7d1c51bbc326651f82c46a1034623b0d09a72038
SHA512	1294170be9825d19e880b30cb4ba89decef15c1b8823151b85bdeb6ac8258b19b6e16ae32221a8694e6e9fa35dc40b18c6106d5bff5a9344c0f385e460eef696

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	03f1bdf6abfe9d1e6f395ba7ed251a15
SHA1	832b0ab318a286637b01772784506c295fbb4a0d
SHA256	adab47d02f291b63026ef731963fd4d481e46859a6b83d0773268240df1e11f8
SHA512	2d84bd476e2da673f588e7e0ebc287caf0b5e26659a7f7df17558db02d810b29491c01ec09c62732652924eff575377ff51ea539f6bce3e3a29f017e9c919a31

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:19

Reported

2024-06-17 01:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3692 wrote to memory of 2660	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3692 wrote to memory of 2660	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3692 wrote to memory of 2660	N/A	C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2660 wrote to memory of 216	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 216	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2660 wrote to memory of 216	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 216 wrote to memory of 3532	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 216 wrote to memory of 3532	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 216 wrote to memory of 3532	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe

"C:\Users\Admin\AppData\Local\Temp\b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d36dff17d76abe1a517ba3df0f715775
SHA1	a08725a95898191179da4a07abfb2d9cf9e295ea
SHA256	380fd09e64145dcf468b47726f90be7ebd5dbe3344cb072d66ba1220364f865c
SHA512	849c416ebc68e49c8bd0145445163a857d2d0d9d19d048b96be6e28197d3125129f3bd0719d77a546b69e06324f518bf409c55d7ca9972f87254476ed75153a8

C:\Windows\SysWOW64\omsecor.exe

MD5	871cc0bab5302d29d6066da9a1e02ab6
SHA1	fff9a646e98f8253f4094dcd65aa2b9fd9833322
SHA256	7a77a8b38c72a77809799044145e16a2e7596e8258fdbd7297a23b20f0ce97a8
SHA512	c493bdaf4c8966326e0df4ecd2e2ec85ef8d753650fe28e7a557e4a011842dfd13b2851116585562b5745c09081da2963c3314c1a9751cf83237abdbd81f5222

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d1e1c5d943f683a0c5b6672939f37588
SHA1	cb0f3755204029d485a0ddbe7616ec6923db5196
SHA256	5434188d508458a56353826c0af31e864f20dc5417a77c9b8b17149ef8e355b4
SHA512	c06948f499a583c6b6d1e7624ccefb25262aa71f6d3814a5b3be7ccd3644bff76a1ca4dace9ef8fb723bb2050cc5a8cb63c498c7b1b6dd7b43a7b55bf0c22138

Sample ID	240617-bpptys1hpk
Target	b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc
SHA256	b60593fdc580be38e0b6ea52a7197b8b03d50c593d04b19d9bd894e41d59e2fc
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:23

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files