Malware Analysis Report

2024-09-11 08:28

Sample ID 240622-anz3vs1hjj
Target 9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3
SHA256 9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3

Threat Level: Known bad

The file 9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 00:22

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 00:22

Reported

2024-06-22 00:24

Platform

win7-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1792 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1792 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1792 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2880 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2880 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2880 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2880 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe

"C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 86a79b243ef27a434c91fa3bdb9ce0c2
SHA1 ef34019665fea072ea2794647f691ac630c2a9a9
SHA256 df81167aa620081d5ac2eab5cebafc2d44292a387d4c2c61869674b18b106193
SHA512 1abbf0243a3d696db7deea7ab271e21a4f7b734da373322fc7a89d9c76117e370b3078e5f2d8f6cf357d7910ef383d61428d9263fee547c3e26c6b1213ae02e6

\Windows\SysWOW64\omsecor.exe

MD5 08da9b2a58f22a6bf0d82183fcadd3db
SHA1 9ac3e9cbca7fcc2e1b4abcb3d92161b2f14c3a40
SHA256 787a177ad9fcf6e1be9ce4ed91a2e85422d350e551dd790ab46123e4a1148e70
SHA512 ef7fc872b3844c6798f6721f980a5f200a45db25b58fac7c39346b9fe9c6dce2f3c6c7eacfdbdad4addd0dc234110c0edc100cae9eeb9e8f38e33537404b3bc0

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8b235e2c81a8294e9bd4db98b34a1967
SHA1 d836aad98f6874565c560f3a5023cb0b7031c8c4
SHA256 2d4fa9915cb8a6d8c5c9a3372bd03f6c24f57bb33b3824211fd20f810b825171
SHA512 e2d729d94cd07eaf2a34549b1be7bb71b0cc7cd56f678aef22efb2600a49e6a6898a2a8c8eecaafcdf8228b934f9e93d7e36e30c84b62aba2c5c0851ed0c7e6a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 00:22

Reported

2024-06-22 00:24

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3380 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3380 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3380 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 632 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 632 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 632 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3492 wrote to memory of 4792 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3492 wrote to memory of 4792 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3492 wrote to memory of 4792 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe

"C:\Users\Admin\AppData\Local\Temp\9597773a6634133454920291b96fb461bee793c79074a5a55c35874a70b874a3.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 86a79b243ef27a434c91fa3bdb9ce0c2
SHA1 ef34019665fea072ea2794647f691ac630c2a9a9
SHA256 df81167aa620081d5ac2eab5cebafc2d44292a387d4c2c61869674b18b106193
SHA512 1abbf0243a3d696db7deea7ab271e21a4f7b734da373322fc7a89d9c76117e370b3078e5f2d8f6cf357d7910ef383d61428d9263fee547c3e26c6b1213ae02e6

C:\Windows\SysWOW64\omsecor.exe

MD5 c949f12d8520185069596d0e615d40c8
SHA1 dda3e4d67f6ac97342bd98df16b9cd7ae8601ee6
SHA256 6396a8a24bf5288e693849ef15b4e5c0d1cead148a7445ff952d3b845ee04771
SHA512 ec70b725806889ab37b0f71b4f5efeeecc9e876f7ab9791574e3457264bcfddcc7cbebd2d4a7508df70b0e9fe6e44417222735247017f3ca00c347fb8d93e096

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c5362c904e6569da778c27afbf056c65
SHA1 9dd5909c22f4aca98ae8232b41df1ce22d3458ee
SHA256 c9d54d355768d2a7d795eb6b6e9a8bdf7c51d311058e55b1071428097e1e94a1
SHA512 8a539f653e8dc43ebab51c756e3bcb417f778b5552dbb696463b05b81744d40147c35e9d59aebdeb8ed5b2ee2f5d31f84ae4217a3962facd866782f546e55e88