Analysis Overview

score

10^/10

SHA256

55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef

Threat Level: Known bad

The file 55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 22:14

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 22:14

Reported

2024-06-20 22:16

Platform

win7-20240611-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	C:\Windows\SysWOW64\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2852 wrote to memory of 2692	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2852 wrote to memory of 2692	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2852 wrote to memory of 2692	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2852 wrote to memory of 2692	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2692 wrote to memory of 2116	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2692 wrote to memory of 2116	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2692 wrote to memory of 2116	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2692 wrote to memory of 2116	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe

"C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a7b84bdcd2a91e84ca55c027087f74f4
SHA1	3bfbdffae72dc6355c50ab7782313646560b759c
SHA256	1766a9f8a538544bc7793e7fe7c9b0b020eda640e6b77f021ac4b34dfefbe086
SHA512	e5c2975bd2536dd4c9600a8333dcff16516bd7b0d5f2aefe0f2d81761f2d1eed334a59e462bae4636b899ab1d131386b720354fbef08e2cc932117847c1fc443

\Windows\SysWOW64\omsecor.exe

MD5	3c0a2122b9bcf609d172dd731caead9c
SHA1	e979e3f3431c5ee0b8f5156c2f78c9242b050e78
SHA256	90964ff15ec3decb1ca3dcf7cd860080c1f59a08fedfbe928adf3456ebfdcf9b
SHA512	b71d8b934cf5d6686f65c6b9160639948ecfe04ba05f1b3e0b99e76c1e9d5952c26ebef17f93b0288489ed3217979cc195d4b8c2494610393b096584349477d9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 22:14

Reported

2024-06-20 22:16

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2892 wrote to memory of 876	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 876	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2892 wrote to memory of 876	N/A	C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 876 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 876 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 876 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2452 wrote to memory of 4368	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2452 wrote to memory of 4368	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2452 wrote to memory of 4368	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe

"C:\Users\Admin\AppData\Local\Temp\55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4120,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	97.90.14.23.in-addr.arpa	udp
US	8.8.8.8:53	69.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	232.168.11.51.in-addr.arpa	udp
US	8.8.8.8:53	154.239.44.20.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	29.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a7b84bdcd2a91e84ca55c027087f74f4
SHA1	3bfbdffae72dc6355c50ab7782313646560b759c
SHA256	1766a9f8a538544bc7793e7fe7c9b0b020eda640e6b77f021ac4b34dfefbe086
SHA512	e5c2975bd2536dd4c9600a8333dcff16516bd7b0d5f2aefe0f2d81761f2d1eed334a59e462bae4636b899ab1d131386b720354fbef08e2cc932117847c1fc443

C:\Windows\SysWOW64\omsecor.exe

MD5	40b13e53a5ac8a9e6525bb1823cfc378
SHA1	1a652b478d8e020e0be3443a83e97617682a7487
SHA256	777470e56723728b9b4cf247e581101c371fb1da1381a1ce3da1bca7d574cf6e
SHA512	74137cfea6c9e7fc08b5fee1ae8c3d780557703869697453cdcd10940a1a44905d6cae3cf96a04247b191f83396bd81494b5bd5b57f0fc1b85287d5f4f0ec4fa

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	7cacb8f7563cf597e383fe61f058d52d
SHA1	eb0ba745a269d3ce32f6501f901a1da82b5cc8d9
SHA256	0ad0796e722b92577e62290599efa8f65244a40e1957c334f60cad28223fb785
SHA512	985539360f19c3471142111837fdd09368ef15f5b2ef93f4ef7eb61d49ef8309d8026562ef56c867033244926e19941f392682c3c9614323dc04b41b6db2cee5

Sample ID	240620-15m3qszbra
Target	55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef
SHA256	55fd85a42d6c863cd78087f34922df33c0b80eaa53a907d2c8968de9029c67ef
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:28

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files