Analysis Overview

score

10^/10

SHA256

a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563

Threat Level: Known bad

The file a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:14

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:14

Reported

2024-06-19 01:17

Platform

win7-20240419-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1760 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1760 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1760 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1760 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2680 wrote to memory of 2188	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2680 wrote to memory of 2188	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2680 wrote to memory of 2188	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2680 wrote to memory of 2188	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 1016	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1016	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1016	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1016	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe

"C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/1760-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	7fc8b51706f7721741ffe16562440bf2
SHA1	71f0557bf6b8a5bbd18f3e6df1cd5f75673d091b
SHA256	0136d360e46eb1db313d5b243ee4894923da05d5dc82c5f89c6758f68dda5bca
SHA512	585ab6f1a3a642653ddd6d48204894974b792f358655f627aa826d2ee832117f3c6970df281399447aa10402c8d379c57e0299ecef8f40b9d7aa3e602c0f51f5

memory/1760-4-0x00000000003C0000-0x00000000003EB000-memory.dmp

memory/1760-9-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2680-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2680-13-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	71e85cb92bb6fcadf0a03f70fcba9b7c
SHA1	f242da2c424bb604b2db663fe99060993ca4537a
SHA256	d668ffb1e9fa17eb25beb46ab9ae60c2a329ada922384949ebc113e71918fd8e
SHA512	104d85c6625c50b1c9db3e65f14eeddca0a3766e93891f22434c82183a4e6357d607ef9893f4b9862229795136a5309820b082aca76c415608a123e48bec1e57

memory/2680-18-0x0000000000280000-0x00000000002AB000-memory.dmp

memory/2680-24-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2188-38-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	7f1ea791a4fdff15e6905723822a9ca1
SHA1	3a9060a09c3f4e13ed2ede3d5b9f9bd306ef7c0a
SHA256	452e835e9a9549bd0456584809d69d4d59e2bc89fba393c072afd49acc9e681d
SHA512	6eb7fafd2ae3e62fb8433cfcaaef10ecf3a6ef347c2b51ce8491241b8de681435df3f947e25273d1d7c1eabc1dd709683d1299d3f8b1017d34d1a5d19ecbcfc6

memory/2188-36-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2188-35-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2188-30-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1016-40-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:14

Reported

2024-06-19 01:17

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1188 wrote to memory of 4516	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1188 wrote to memory of 4516	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1188 wrote to memory of 4516	N/A	C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4516 wrote to memory of 3524	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4516 wrote to memory of 3524	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4516 wrote to memory of 3524	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3524 wrote to memory of 1316	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3524 wrote to memory of 1316	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3524 wrote to memory of 1316	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe

"C:\Users\Admin\AppData\Local\Temp\a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	138.107.17.2.in-addr.arpa	udp
BE	2.17.107.105:443	www.bing.com	tcp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	105.107.17.2.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	139.53.16.96.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	10.28.171.150.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/1188-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	7fc8b51706f7721741ffe16562440bf2
SHA1	71f0557bf6b8a5bbd18f3e6df1cd5f75673d091b
SHA256	0136d360e46eb1db313d5b243ee4894923da05d5dc82c5f89c6758f68dda5bca
SHA512	585ab6f1a3a642653ddd6d48204894974b792f358655f627aa826d2ee832117f3c6970df281399447aa10402c8d379c57e0299ecef8f40b9d7aa3e602c0f51f5

memory/1188-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4516-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4516-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	c4f1d9b52b217192a4d541661a470aef
SHA1	dde317525a22bff5776850adfd6f9ec6c95ec318
SHA256	2b9474d82ae3cc09c721ab138118064ed8f2791521e46ac309666882558349e0
SHA512	16585de3864a6628073afa886d77353fc37d8863b75a6f7a4d64791129deee3ef55d61ed99a8fa7f96c1159ee9913fd5c607f3416db322bb504cfc5cd3342bcf

memory/4516-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3524-12-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	6d3e058c37897d2bd44f2fb7c2b0d14b
SHA1	8767b1024321beca3532ab85706082ea94a7a9d5
SHA256	fc7e075ace53766636a5a4d9985782511535793f3e9064088470c04cbdc331c9
SHA512	0f3a9789158d5432b26ddc5b20faf8bde232877eca140ec079e45f4627b888e6d71cabbb44a8db2c16c4e32a5269a2dcd6156095aff7d2172b9dba14d13acdb0

memory/3524-17-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1316-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1316-20-0x0000000000400000-0x000000000042B000-memory.dmp

Sample ID	240619-bl4hyavgjl
Target	a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563
SHA256	a89b54479e26b56962e567030f0936fdd6529f005349364b944c1c956ee5f563
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:21

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files