Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-zlr2xahb76
Target 3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d
SHA256 3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d

Threat Level: Known bad

The file 3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 20:48

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 20:48

Reported

2024-05-19 20:51

Platform

win7-20240419-en

Max time kernel

119s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1432 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1432 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1432 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1252 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1252 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1252 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1252 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2884 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe

"C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 db6ff8d832660f61d66a6f5a22fd9830
SHA1 88594363b258506bc228e2d6dc7b95e1173a16c0
SHA256 bb927993eae2d22117651936ded9f7f7a00d964ba42acf8975af8fdfb831c8a5
SHA512 638baf7fd32a6c8021046e0161edd82aa836fc2056e431b76917d09676a4982f2eab18eccf57242a7fe535f7447c293e7af5abe068a5621c177b277956cd1bb6

\Windows\SysWOW64\omsecor.exe

MD5 15358bbbaee7a5629bb0ab8a06a20d9a
SHA1 b222268c5e0d6b8a2d9865a2e7542a1064c296af
SHA256 374cd60d5987a93e3a477dc21aa1989f2524cee2c7595ca10f8efde11c70ec66
SHA512 ac505f34f632a55ea10aba05b9a6a04e477a17539173c6eea746a0faf2db164b67a73cb27c12e7111e9f520cd4be1b7eab71d98df30892e14a49417d617f3a2d

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b1e82e612338f5c2d997a8be52666a5e
SHA1 fa8d6f22d1e4e1f6dda94d03fe19f374d8f46600
SHA256 009f78164c8b64e6e59b7e6a0988e6efbc8ae815e2171433aecfd44771563de9
SHA512 1f53666846fe5c44a2f6d77a559defb22f083aee673d6d268a8988e5c8951637ff709314dfc3e3e033aa8a3ac26d81d5d0dee82157a4deb5529b94c2f3b3e81d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 20:48

Reported

2024-05-19 20:51

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe

"C:\Users\Admin\AppData\Local\Temp\3ec432747a3cfa0dc243b89ababf8f60f60eed10e9027ce31f2526e7c297e95d.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 db6ff8d832660f61d66a6f5a22fd9830
SHA1 88594363b258506bc228e2d6dc7b95e1173a16c0
SHA256 bb927993eae2d22117651936ded9f7f7a00d964ba42acf8975af8fdfb831c8a5
SHA512 638baf7fd32a6c8021046e0161edd82aa836fc2056e431b76917d09676a4982f2eab18eccf57242a7fe535f7447c293e7af5abe068a5621c177b277956cd1bb6

C:\Windows\SysWOW64\omsecor.exe

MD5 76e19677010c78c57b3c9af916180646
SHA1 135b4c686bd44bc8d73d9ee6a53184e2a5db2815
SHA256 318738b94698f899aa3ceda10badf411216d39cbb4ca46253f0ad902f8b2f6d3
SHA512 6daf1917fb27cce4d6b4bad554163a5370e8ce31965fe714012b13a2013596cbc8fe23bc0d97c5eeab6c8b793a2b55d80052a00b9beb75b21f1f53664092f432

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 176dd97dfc3f6d3d02c2113447701433
SHA1 dc69ae9eed6b0431f2a33cd83e5c9bbc2c373c9e
SHA256 1a64dbf0384ddacc72a9392d12e86506e32c2f1890d0f339de50acc05c6d1917
SHA512 85513e63af42d9e7d914fd33fbcc0df689454566276f947676245dea216d7187c70de3f004c3a7cb4d083240be331cc12797347c56bb7494691bc6f8f54f55fc