Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-1ewbesba9s
Target 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0
SHA256 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0

Threat Level: Known bad

The file 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 21:34

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 21:34

Reported

2024-05-19 21:36

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2256 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2860 wrote to memory of 2468 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2860 wrote to memory of 2468 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2860 wrote to memory of 2468 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2860 wrote to memory of 2468 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe

"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 540b9b67841d4199b21880644c909be1
SHA1 529a68d19b90f49eeb0275660661734dd0071abc
SHA256 c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b
SHA512 18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940

\Windows\SysWOW64\omsecor.exe

MD5 0d527f37cfeed9b2c20416a8ee34750d
SHA1 37129a3759cf88a97daf9d218d44601f2dea7db9
SHA256 0f3b9e3a64376b0e21ab5c67de30922df466127b5027f49307817817739e1843
SHA512 471f6a7ea25eee0b476e330b8005b70a0617eab20786e0c85f62ae7636c5f316143d512d57348433e111d94f97997e627337e8a92512af47fcabc8aaadac0b7d

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 05fc9aab25226c1f2da96dfa8682a93b
SHA1 bd1a7116b2f15e2927d15346ed2abe19fdae02c3
SHA256 e7dc95a8ea86d54e96a915dcfd13878f52276563ae97f16c567286567e342f58
SHA512 e621fc57387a6d696184f915583be15e409b4d22975329c49cd1a9a2f9cdb2f9ebca3e369abb83a6fd58fb84e7f2ed322bae00e8908082321851861a6969fe77

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 21:34

Reported

2024-05-19 21:36

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe

"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 52.111.227.14:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 540b9b67841d4199b21880644c909be1
SHA1 529a68d19b90f49eeb0275660661734dd0071abc
SHA256 c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b
SHA512 18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940

C:\Windows\SysWOW64\omsecor.exe

MD5 1de9e1c6719ac9d020b79eb85aa3951f
SHA1 08ee657ab95b829d8730232278e20f9a10b5fcaa
SHA256 078d8748c33fd6e646a6b7a7970bf2d1f2f89089ffa13fb34d4848bff1bd2608
SHA512 93b727ef35e3601b15c36651e303bc130b8f119cf960bb478e8568808fbb3e95d69149fc7490da459a730cd29a815b5c111f410b7271ca1ff7ed6c423f46e0ed