Malware Analysis Report

2024-09-11 08:28

Sample ID 240620-ct3r2sxhjm
Target ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1
SHA256 ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1

Threat Level: Known bad

The file ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 02:22

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 02:22

Reported

2024-06-20 02:25

Platform

win7-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2036 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2036 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2036 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2792 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2792 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2792 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2684 wrote to memory of 1660 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 1660 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 1660 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 1660 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe

"C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4fd26d096e4300c1d1c8b66043c7494d
SHA1 ea095c0ab2d6e712f27ba5013c418646beebaea8
SHA256 a1f6737ebe01aff242ec731526e293b85ed0c24648e826042dcd1ea95d32e88a
SHA512 ff9db681cc0ab4c2d6ad78bf7a857aa9a3d32d3c7a985393d9eebadf26be4260840dcf6bdcfee09d5c95c97d3d502401e78337d01472b4814a55b530a75aaa15

\Windows\SysWOW64\omsecor.exe

MD5 41fa32c8593c610b2069bcc4fb34c4d3
SHA1 e4f99099d998f9dfe2d52aba6add7524f59d2584
SHA256 5abad2dc3edb7b16638f15bc715ca5af1681e792ced84580644dd813d9bd74f6
SHA512 2255f271103f0a4620b1e411013a0e8e2e6dc6a6bed4cf5279c2052fbb8c4d616735eef58c3e3d127239210de532fcd6c2237b9c5050761f43edc05b3c5c52ad

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8a78968eca8580088ce1adc12edf12f4
SHA1 d3b3b54ec73b49766697e04a8c254b76b5fe231b
SHA256 1a652e5fb1571f285195485e3fac137504df448c636daa873d1240ddf9136834
SHA512 c80480c78ca4a376faee485841d7eeee5a0af82721c8a98fd22c62367461820989d3e4b7c5357f2b4621d7f4351db7a26285c8b2040ce6e37ecae3f23ea2d7d3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 02:22

Reported

2024-06-20 02:25

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4568 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4568 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1188 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1188 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1188 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1980 wrote to memory of 1548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 1548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 1548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe

"C:\Users\Admin\AppData\Local\Temp\ba44d36d95b532f9c618d838c3dbe162e02c9650d089f95c25d97cd67cdacca1.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4fd26d096e4300c1d1c8b66043c7494d
SHA1 ea095c0ab2d6e712f27ba5013c418646beebaea8
SHA256 a1f6737ebe01aff242ec731526e293b85ed0c24648e826042dcd1ea95d32e88a
SHA512 ff9db681cc0ab4c2d6ad78bf7a857aa9a3d32d3c7a985393d9eebadf26be4260840dcf6bdcfee09d5c95c97d3d502401e78337d01472b4814a55b530a75aaa15

C:\Windows\SysWOW64\omsecor.exe

MD5 6e809e7dac3a51efdb0a897a8b31cb75
SHA1 194a4042676be295ca961ed26d2da8c04c0720de
SHA256 4401fd62390f1cbdc977a0add989b2517cb030c5c642a3bbf77b6be4da1e6fce
SHA512 e593b2ef53dc0aff16a0893012b1cedd174116f04999d0d2bf739c9388e4689a167b83ed0b077877136db60e9f411e7f0edcb4a52d69d4c4ad523ab0e04dda45

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 11254dd14258ba0fec3d4b265918c155
SHA1 43e64da7deb57269f6dffc3d354453618038deb5
SHA256 15e466d5145752e1ba9d815b2177f1ac0f6e21a2e6772e0948b7b4d13b64f078
SHA512 52055f8a302d6b5a2a08248af1b7ded18b22cf9a647fbbef8e6db8838b05da413e2112a95cbad77b37a9f47ed91245412130596ba8ec8d86d34b11a1a7f9866c