Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-b9xejaef4w
Target b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4
SHA256 b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4

Threat Level: Known bad

The file b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 01:51

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 01:51

Reported

2024-05-20 01:53

Platform

win7-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2136 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2136 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2136 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2144 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2144 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2144 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2144 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2648 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2648 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2648 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2648 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe

"C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 495f99da6f9325c15747e701f6a5acc0
SHA1 347efe456007d950712cd40022d5c5f62077b0eb
SHA256 9c1864811146f9dc145ab0a67b59d23dd61422b25d1321e14516cd13025a76e0
SHA512 7f739ca8a988849a900dc4743426814088cc6287f46484ad3297ff9b4b80e0430caff4c32f8406f8cf2bab8f180a923b0ee51ba1f19bb55983d2d55b0f4f36c2

\Windows\SysWOW64\omsecor.exe

MD5 1bc2ef67815238cef42d96c72c0faf52
SHA1 c4830e7f0619643ec68705db3d304502276b7bb0
SHA256 6a4079a5d47c58172f8f44fc54338fb397091b80a59248931d7a731f60211946
SHA512 393b614e23a4bb5048f7a8202e8b04bd4500f62b26161a08525b7330b6ddd24f3c002dae4531cd78bed6eda0320b35eafe81cc256569919985c01d75778cc898

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aebb4fcd284ced53358f39c8d85d39af
SHA1 f75dff9d554917e620cfe39d6c332765bed4a9e0
SHA256 342902995e3d01769e32b65d9681ad968e2dc672a9c8e8e2e76aa2f69dbf9dc4
SHA512 5573aa77c6204c52338c1138f68aa9dd9d3880611be1751ebb621d072da2c898df381d33817201db5849f2723d492d80b191273de23d1ee1ed51c67bddaed86a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 01:51

Reported

2024-05-20 01:53

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe

"C:\Users\Admin\AppData\Local\Temp\b4c09a6487a7c9260202bd1eb3178f92284a4b0a40bd99d6d8d7171368d465c4.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 495f99da6f9325c15747e701f6a5acc0
SHA1 347efe456007d950712cd40022d5c5f62077b0eb
SHA256 9c1864811146f9dc145ab0a67b59d23dd61422b25d1321e14516cd13025a76e0
SHA512 7f739ca8a988849a900dc4743426814088cc6287f46484ad3297ff9b4b80e0430caff4c32f8406f8cf2bab8f180a923b0ee51ba1f19bb55983d2d55b0f4f36c2

C:\Windows\SysWOW64\omsecor.exe

MD5 4368eba2d3a8362da347724e2600b29c
SHA1 c01e7d3a404aa1746808b9c001958ce7cfb51b6d
SHA256 293f7694b1b0fe646c0145ea38e40c9a130b8d89037c269507ecf0fc0ab1d49c
SHA512 94fbd9f91e2114b2888c0c528444d3f47c65166e51fd595e7df95723862e9b31186d7891a40026b5e6adcc212c37de06bae6be2817c7f1cbb7c76e468c4dc120

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 10b4cf97cac1f873a03edfac30dd7a99
SHA1 784c4538083b7c02e2e67eb0554382ecfcdc2e8a
SHA256 a6ff69d31dfa781268ab16b1ccd5594c8426711eab50712ef8af269256ac1db7
SHA512 d24ad22cd8a9ca43cf971ebd296c7e3f62e467e50a7a957818c1e40adcfb7fbbed34ed52638878143c837c8282c7603d27a09cec74ef97c4a27a0193ca598b04