Analysis Overview

score

10^/10

SHA256

3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5

Threat Level: Known bad

The file 3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 20:38

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 20:38

Reported

2024-06-18 20:41

Platform

win7-20231129-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2364 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2824	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 2824	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 2824	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2368 wrote to memory of 2824	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2824 wrote to memory of 1576	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2824 wrote to memory of 1576	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2824 wrote to memory of 1576	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2824 wrote to memory of 1576	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe

"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	e52986ee168e1d7047383e93337b5c79
SHA1	c21e48fdc44c75eff8d7c8d0692a96678228892b
SHA256	1f480270ef537195ab187e18f62c00321bbf8b7abd987dab0d35d2224d2a70f1
SHA512	a338c29fb22b64029d1123e5f3f1432da31d3753a3613cb8402e9b3cd1acf3da97a4db7e6912b9e89732229d29a532685435f33c7db3fda24a60480ad9013bf0

\Windows\SysWOW64\omsecor.exe

MD5	73bcecce7fa102b30552e78f72247c9b
SHA1	438e61501ad70c0d73b039c5ed86f0c4728e7183
SHA256	12a52b49276fe202cafab46d87b70754e1f65547eae7b6583fa9f4b77be58835
SHA512	6291ef8690dec19e3eeb735b81a483e42bb58e132d17deb5201e7bf6689e573e84f23046ecb49ae024eef20cc954fd34689126b82cc6e8368ab13adc80d36cc4

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	176f7bb648ef3308eb19f08554ea9863
SHA1	f011c44980556b0b178dc7da74f890e3d96bd798
SHA256	b8fca42a6244ce5ee06697836cd02cf588fbeed1e9f2311c5be90737fef745a4
SHA512	a0220cd96ffa75fa44dced2e7529419917a29ba569698b53e9ddfdc480c340bbfdade894d9ecbff918170e59e091c6a077cc24fb77d81d0b025693131e5f3640

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 20:38

Reported

2024-06-18 20:41

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2404 wrote to memory of 4624	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2404 wrote to memory of 4624	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2404 wrote to memory of 4624	N/A	C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4624 wrote to memory of 1212	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4624 wrote to memory of 1212	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4624 wrote to memory of 1212	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1212 wrote to memory of 4964	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1212 wrote to memory of 4964	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1212 wrote to memory of 4964	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe

"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	e52986ee168e1d7047383e93337b5c79
SHA1	c21e48fdc44c75eff8d7c8d0692a96678228892b
SHA256	1f480270ef537195ab187e18f62c00321bbf8b7abd987dab0d35d2224d2a70f1
SHA512	a338c29fb22b64029d1123e5f3f1432da31d3753a3613cb8402e9b3cd1acf3da97a4db7e6912b9e89732229d29a532685435f33c7db3fda24a60480ad9013bf0

C:\Windows\SysWOW64\omsecor.exe

MD5	bc2ae1336e307bd149fec8516479fe55
SHA1	cc5dc76514c9ee62e7a12543e8580af7400e548e
SHA256	0c941fea428f8e19e0fa780f3a188211c090f59bb4beb994d5b8c3941c45c51d
SHA512	bcfb92c1f38f1dcf5ddcb656fcbb1fd8449c2566df5caec1b993420b7cdfdf7b1994870a523c6c47840133415f09cdfe846f890a35300444ddec59e482e235e4

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	e8f7837fd03a03b2f885b854ab9ef111
SHA1	e2b9799d326bc6adba9ce19cf3c44c29452cc449
SHA256	3097ca48796116f8070c388ff902180f4d80c085d4977ee15d0a8d9c5d8f67dd
SHA512	551d6879bed139fd9c34f5dfbe157ff391575a64dcf164df68f3ce84d1d7d29532ca82552c98573756ddd5fada9901d5c87af8c0dc61762574c8f787b9c2f1cb

Sample ID	240618-ze4r5azgqm
Target	3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5
SHA256	3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:20

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files