Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-3vyslahg7v
Target 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b
SHA256 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b

Threat Level: Known bad

The file 8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 23:50

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 23:50

Reported

2024-05-19 23:53

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1964 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1964 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1964 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1964 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2692 wrote to memory of 1868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2692 wrote to memory of 1868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2692 wrote to memory of 1868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2692 wrote to memory of 1868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe

"C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 104.155.138.21:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2988-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2a27191f0dfc9299ba6b3173548ed99a
SHA1 e2c92d92a9883162287295e37bd8b0dfd42b8452
SHA256 ecea83e57434f4c6428ba071790cf9c6b5e7fa0a93b5add3abd08868cbe422c2
SHA512 2873fb59637cbdf76a3bbf29f9bcb2958527d1fe5aebdd7117e6aa81516d21a0fe9a73beb37cece0ebf11cd4a2f7b95e21d55c023799509677a54da0dad423ef

memory/2988-8-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1964-10-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1964-12-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 e66f2d96e95f784919c5ec7f904c7843
SHA1 45a181e41bc464272874ec19fa8c46f6898f36c1
SHA256 99b4dfdf381642f85d32772759bb9a0efb476d286ce5cb63564ae392165dbd1b
SHA512 ee432d3deabd74a5d5384f4b23e2bb696016485563e7c671e88d3066b4abc651ecb6788bb73776dd98230c18afe84f1b284766c3a34cbef5b8db32393d58b9f4

memory/1964-15-0x0000000000310000-0x000000000033B000-memory.dmp

memory/1964-21-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2692-25-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c80865ea75fcca4187e888cb33d32115
SHA1 b444ef642018a0358e8c996580efe4c017235f83
SHA256 d03e60079cfdacdb6a0892e3817b56ef71e9f055981e5d990fa6286ef9398cd7
SHA512 3c78bd4d4f97acb6416f39a8d34cd5b111df9d62e86aa911dd793e2fd7d7038673d0023eb26477b6edb200ec1196d03a2a158b5d3afca88d9e78c4afe63c323b

memory/1868-33-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1868-35-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 23:50

Reported

2024-05-19 23:53

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe

"C:\Users\Admin\AppData\Local\Temp\8213e0169e98c749520aa916d77ac3db3b61cd72dec1464b2070d0aa6aed413b.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 104.155.138.21:80 ow5dirasuek.com tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2a27191f0dfc9299ba6b3173548ed99a
SHA1 e2c92d92a9883162287295e37bd8b0dfd42b8452
SHA256 ecea83e57434f4c6428ba071790cf9c6b5e7fa0a93b5add3abd08868cbe422c2
SHA512 2873fb59637cbdf76a3bbf29f9bcb2958527d1fe5aebdd7117e6aa81516d21a0fe9a73beb37cece0ebf11cd4a2f7b95e21d55c023799509677a54da0dad423ef

memory/744-1-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1564-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1564-6-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 59b719d9cb0cec45d20a7dafd2b5cdd3
SHA1 d5afdcea6550766a235cca0167dffda7b5cf90c7
SHA256 f695128ac266234ee50fd296c9910c8f94a07c8a6cbf184033fe99ab865b4fe9
SHA512 c6db6c601536e3897bf3514f077be77d2677e37d6a37634c1811ee5fecf96faec383f62bdaec65c23c0316a15f5feb317bc9a3443ec7af30b0c4e03e6127a01d

memory/1564-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4768-12-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 97222e1edc2628a6c308311e21183124
SHA1 869bab22c55cbbd176768315d563c00df0cd7415
SHA256 4a4207efdf916748feda5ec281d1bf7ed99a36edec56ffa87006a4bc316063d2
SHA512 fe6caae00be0dca45a52c27b4b50e391dac3ba69940615d422f63015fb4a5dfaa83e57097e089f7c282b22ee66fbf3854f51a0df300381fb7bf6065b5a2dd248

memory/4768-16-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2732-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2732-19-0x0000000000400000-0x000000000042B000-memory.dmp