Malware Analysis Report

2024-09-11 08:28

Sample ID 240622-2fdnfaxdqe
Target 5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14
SHA256 5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14

Threat Level: Known bad

The file 5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 22:31

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 22:31

Reported

2024-06-22 22:33

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1796 wrote to memory of 2332 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 2332 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 2332 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 2332 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe

"C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2e8019e159cf6169599b9db9225c7927
SHA1 ff3e20b23bf0902efb8f9f59d4f58508ccca9fbe
SHA256 dcf94d8e0a70fdcb693212efdfb8e1fd9664d8d19f3d22256b8c3d68b35a210d
SHA512 b50c2e54f3febb5b5a1bab7015def0df5ab98549644c59cf8e91ba58a74ae9e536cab1766c57136a1a709a231be94da51400729e23169d8fa11fa29d16f51385

\Windows\SysWOW64\omsecor.exe

MD5 fb576adf04d5a4f5f8584b675cb8164f
SHA1 69c25d8d1127624aecc51d8fea07348e87051ac5
SHA256 d25b0262445184f066851a6540e14742fbe8e357586b0946259e874cf6ab8bd7
SHA512 f5faa85143a9b44518cb4c5df6a0720c221b0ba3ed7a2effb2c83677409e1afc76a720ace3625f0a367c0bf9cb4880d024d9d4e976d90f615943c1fce5f62b92

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8f86bf84d62c7b8d4f706485aec06ea8
SHA1 454a049f89ee754e6d962ca11eef4f0f4b42b8cb
SHA256 22f7fb5ba3470902102403337548e10ab9be95ce10e26fe9b7f21bb6fe9490e0
SHA512 8b8388c20c1a51787263a03ba1f6d9b947229c0faefa936717bad7c0983c6c7d4de064172673b67a68f0af1901a0efa12c11ae5362810170dbfc12eebaa73890

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 22:31

Reported

2024-06-22 22:33

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4568 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4568 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4884 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4884 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4884 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1196 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1196 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1196 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe

"C:\Users\Admin\AppData\Local\Temp\5a93186c290d62ba1631b75affb13915af593b50d3ce2d8aa17c4d6f45a1eb14.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2e8019e159cf6169599b9db9225c7927
SHA1 ff3e20b23bf0902efb8f9f59d4f58508ccca9fbe
SHA256 dcf94d8e0a70fdcb693212efdfb8e1fd9664d8d19f3d22256b8c3d68b35a210d
SHA512 b50c2e54f3febb5b5a1bab7015def0df5ab98549644c59cf8e91ba58a74ae9e536cab1766c57136a1a709a231be94da51400729e23169d8fa11fa29d16f51385

C:\Windows\SysWOW64\omsecor.exe

MD5 61ed4fbe79ddb13a85b1645a78c4479c
SHA1 c392e638787a43483e5185dd2652fa73ec029e7b
SHA256 5f5bf8a31e343dbbf6528d3d6353d1688a715f61f9d10c15d6b3147ad8fe1474
SHA512 a82e4092efc4bd0a353704aee62a543066f4a66ee8eb57ef44d5cd03d2bc3d4e49490f0d62f82b6deca1711e091157fcfb8079b3fc5e2b6d057553e0b8fa6839

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a5124f4bdc4b120f2b93f270d7a4d667
SHA1 40ef17b4718e0331569a392d7ee77df0b1d3b5bb
SHA256 50dae432002b9634e8ae1ea6080dd48c2ff23a8ac4484a1449489e63e43beb80
SHA512 e108fd5825f4b53f5eb3aeadbe1aecbaccafe1b10676b902c1c1a1715896ca73f6e1c0e839201a11cec2e46133100faafcab540cfc0986bbf0d7540777d92893