Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-3jcqzsbf61
Target 6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf
SHA256 6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf

Threat Level: Known bad

The file 6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 23:32

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 23:32

Reported

2024-05-20 23:34

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2416 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2416 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2416 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2196 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2196 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2196 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3028 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3028 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe

"C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ab9e0ef4695fa4bee67def5df4fb1ecd
SHA1 bf0d1917d84d70ac72d95295e5387a032ea62dee
SHA256 e50b4f4bff55d496bfcd12608aadf64f686ba9b29f3b8de31a7d587db85fa625
SHA512 40f78a327a318ee61cc358775f10051c57328f0b6bb14a7b47d87135f6229a0f043355375359f77451fa32928d9cacf3b6fefafa8ea4f4582af5cd62d45bc3fd

\Windows\SysWOW64\omsecor.exe

MD5 5b809d2725ff2cd13ceb3a983539d6f3
SHA1 d21ceec32d6e85cb6c01db6ee1d5dee33a16024e
SHA256 a7bece3fb7655260d85e738fc07842c3a911f4bc2a6883a5756e972c51e83cc5
SHA512 8621ce92010290e2dfd39de837aad96cad08e367cf6d88dfc3144e48bdf0eae8a946bec0547e4b94a5a110aa6427198cec6341e03f077790820c7c708f88968f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 816b8f2a9f4e7bc9b258c44f53505b2d
SHA1 3c4eb8bd7ed32bddd9d81f70d8146fabd8270d4d
SHA256 1f71c22b4ddaaa761ec4e9bd05814706bfeae1b42ac7a7c8d369b0d2a461bb26
SHA512 4525ffb96c0a8c0c9c2b94026c257f4b7da3fccc02517a92fec086551d819e318a2570f76f036839f7f8bfaf1a4c390b4725ae87a447b399bc856b18f282abf0

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 23:32

Reported

2024-05-20 23:34

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe

"C:\Users\Admin\AppData\Local\Temp\6e110a3970b4ec6211f80ea4f9ad322c923e1f66c69b9b7f685d8e3a854e55cf.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 52.111.229.43:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ab9e0ef4695fa4bee67def5df4fb1ecd
SHA1 bf0d1917d84d70ac72d95295e5387a032ea62dee
SHA256 e50b4f4bff55d496bfcd12608aadf64f686ba9b29f3b8de31a7d587db85fa625
SHA512 40f78a327a318ee61cc358775f10051c57328f0b6bb14a7b47d87135f6229a0f043355375359f77451fa32928d9cacf3b6fefafa8ea4f4582af5cd62d45bc3fd

C:\Windows\SysWOW64\omsecor.exe

MD5 b165536f08211cb68784102e26146fd1
SHA1 15fd9da88f9b75ed261afa39b5a42d0a573f277f
SHA256 d76dc384fe1430a5cdac36b9e36f4fa6042e1baf1a365cb70a58ef8201d03d14
SHA512 19702192e47122f27fd4514683e6e572c0d89bd35d6f74b79e2ef65dd0034fa9fd07059c613095b8c5153e1218a14e8618f5f49c07cfe15dda020c4d2a0d93cf

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 652e0aad2f69fea18c9288eb0eed83fe
SHA1 a523d787043e39a13a043c804279a4f4e57a41e1
SHA256 fd967fee329dcadf931139323a268f7cb511a7180d75a0850d798e8deb21e310
SHA512 2b8dda73ed2dc372b221bae24b7a66267dcdd741b36f4f9f222dc74b3298c11e9caa29eda5654dbd71ceebdcadd072a940d7fd2fa8da696bfbd1682dba69f3cf