Malware Analysis Report

2024-09-11 08:22

Sample ID 240619-gbw9rszarj
Target ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099
SHA256 ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099

Threat Level: Known bad

The file ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 05:38

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 05:38

Reported

2024-06-19 05:40

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1684 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1684 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1684 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1684 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2424 wrote to memory of 1852 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 1852 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 1852 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 1852 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe

"C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 734566f1e1534a1945e121e7dab1d812
SHA1 183e47950d92bc83147905ee8b460cebb16e8235
SHA256 3a4ce2a2c894be9fb30706a93a4ab450a90ba915a6e3d4ff0962e48fd7198686
SHA512 61255907affc5794f8ba96a398862408bfbf1d02f0b6db251e82faa7813b2db2e325eb3fb8691fccb5350b303e4e1f6c19074773e0289c8de3c759234ba5b1e1

\Windows\SysWOW64\omsecor.exe

MD5 0c4f212edeaf9872d2feaceb599a752c
SHA1 9947cdea7df0cbbe9ac9802b163234e925d20721
SHA256 664e2ba80bfef49e83bd3b279808d845000cd3a61c1560720a852a169022c916
SHA512 7c6277a60aab4521c6195d4ade2ef8acf86fc204889a73c2a730a3197f90a1e43328c51fda9e9d570aa4c26dd4a8882e921c66ea602aa9469008d9faff04234c

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 13ff99d0e2d9e438cafae115de62c0b7
SHA1 348bfc195032d9b01757d258f22e69a996309bfb
SHA256 af9d430728797eec4061e84e152e7ac092faf50e09f8b056fc9128f6a6415f0d
SHA512 4cd366da01e105084c5f2f4680713d94c97aeda3a0ad179805fab3270fad065f1033f98eae6fb5661d424e0267df5b3498f24c3b8fb255170246613430f4b0be

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 05:38

Reported

2024-06-19 05:40

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4704 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4704 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4120 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4120 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4120 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4352 wrote to memory of 4608 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4352 wrote to memory of 4608 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4352 wrote to memory of 4608 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe

"C:\Users\Admin\AppData\Local\Temp\ff417196830d137ce23ee17b28de44c96b53cb0b8a9453a092c890baa3668099.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 734566f1e1534a1945e121e7dab1d812
SHA1 183e47950d92bc83147905ee8b460cebb16e8235
SHA256 3a4ce2a2c894be9fb30706a93a4ab450a90ba915a6e3d4ff0962e48fd7198686
SHA512 61255907affc5794f8ba96a398862408bfbf1d02f0b6db251e82faa7813b2db2e325eb3fb8691fccb5350b303e4e1f6c19074773e0289c8de3c759234ba5b1e1

C:\Windows\SysWOW64\omsecor.exe

MD5 667024f046b3de0c614d3429b49da60c
SHA1 7468130b109217c83bae0fa86075bece5a6af500
SHA256 07a6419a7cf2c40849d038e93a181cb71310f7591a61b3fc1b053cd856096b4d
SHA512 a9d5b6cf095fb8bc27dc59aa3649040b7e08a0f6c7ee479589cf8f7cc3dd183cfe0cf2abdb99bfa72b913897b9d646b20ae49800113bd0deb3593b0656afb0e9

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 eeedca6e49ae97d20e73396dcc02f937
SHA1 0f144b3e3e8204488e477b3aff3c0270e1a3b71e
SHA256 042ff0f74d4f07487a5f0d7fa7cd4019ecb12613d2ab98d730317b0e3fec11d8
SHA512 234c24655c5845a0f85dfb5467b4aa514f80ef30efe56e4473b787665f94127a443f0c0c2d7c1132a19ad68b57485da85e1937ee30d1c3f2a90811c4d7ba5b66