Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-x37gtadh31
Target 1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b
SHA256 1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b

Threat Level: Known bad

The file 1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 19:23

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 19:23

Reported

2024-05-19 19:26

Platform

win7-20240221-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1152 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1152 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1152 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1772 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1772 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1772 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1772 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2452 wrote to memory of 2864 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2452 wrote to memory of 2864 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2452 wrote to memory of 2864 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2452 wrote to memory of 2864 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe

"C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 310d9a10351692f0e7c4a9b904813146
SHA1 27b813a9eee71d69366abe8f2a1db700742310e3
SHA256 29b04df61232f68789882af67f0467133ac23128b117d77197f832579fea2ca5
SHA512 eef492b73f4353662b4a1ecf276463ee27bce1b16bdb35209f8d09180734d65d4bc6e05dcc923c40db748384f1672111e07218be5dfcd232246f557936365780

\Windows\SysWOW64\omsecor.exe

MD5 3fe13d3e06c87c36d1969a83aeb809ed
SHA1 cfb8211a3f81d9df6b73f553e0357e9c3b698c75
SHA256 dd95954a0212415c206bac516767be4b9f798c8df44ad8643376efc1de32d22b
SHA512 bf613fce84bd3eb3e0bec5e0c49b3b83da1c34191d57bda47b8b89b6140d271201a07c10a70b87dd46b428680e34b3c84d2e050f05209ce0a2bae00312ae3628

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0e982cf4973d9a1f212dcbbd7212f286
SHA1 72c891be5ddb1a0b47db0a3a81739f2730c8ea3a
SHA256 e65e6ae10624d87af1421d94944761c5b3eada98e97d0499cd74e1c997f03251
SHA512 8b4d616098980651cecf3069cdc21b79591c41703e64e3cb2b77dd17ed0f6e7cfb1680e0e155ab78c06cfbdd4d7559fb332af42352928146bae49f34bac84335

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 19:23

Reported

2024-05-19 19:26

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe

"C:\Users\Admin\AppData\Local\Temp\1e66dd6883aa30a522c7c70bebe4ad762e430a59d3cefb7f67eabcb7aff60e2b.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 310d9a10351692f0e7c4a9b904813146
SHA1 27b813a9eee71d69366abe8f2a1db700742310e3
SHA256 29b04df61232f68789882af67f0467133ac23128b117d77197f832579fea2ca5
SHA512 eef492b73f4353662b4a1ecf276463ee27bce1b16bdb35209f8d09180734d65d4bc6e05dcc923c40db748384f1672111e07218be5dfcd232246f557936365780

C:\Windows\SysWOW64\omsecor.exe

MD5 daf50a5f047b682a4c7b9af1df4a25d8
SHA1 0a4d80073efaff5052bbd6ae1fcd2a77e9ae395e
SHA256 4b05d90e4565a5e74e4f34785f905fb0a783a9490f265a19faf2e28da11de5f5
SHA512 691ee912113c8df2d36ef951430a69bbdfa8bb8238f0782977522098e04c17a7f7372cf4b49d2834347bb108bcc85e5dcdca4ccba1fae0284a812fd08402355c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f0b182a50c71faf153fa19121ee7c3e1
SHA1 fb4b07b8fc1feca4360f571abeb380553c7a141d
SHA256 e52e12071ffc37f9c134a4b8de43122f57621db344ba7c04dd60975110c4e647
SHA512 4cf9020f3eedbc54282f35ff4e30c73ad8194d776a52b28a1ea019b551c845ceaed5fa34b802f4ef6b2933d315fd35701f7479ea2c3ce2cd73730c29fd17d7bd