Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-dg4z1shc4s
Target cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43
SHA256 cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43

Threat Level: Known bad

The file cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 02:59

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 02:59

Reported

2024-05-20 03:02

Platform

win7-20231129-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2208 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2208 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2208 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2208 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 952 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 952 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 952 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 952 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe

"C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2200-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 30bbb6b75769c5bb0bcf764906690d9b
SHA1 4f1f2cc020dddc6d0108812624022e8e53dc65a6
SHA256 4f6464c1bd11617b3a72b98ea2c8762866c5b3da6fd037ac51eeacf95b8d58d7
SHA512 f87b322bebab41e6750efab17f662ed7771f6df9ddc93d681278e8c58844540c78ed302be6bf0f3f374e7bbfad16d5a851dfd448de1eeb5556776027ad6b43c1

memory/2208-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2200-8-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2208-12-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 3e43fd008ae33d75c2873ecb885f7602
SHA1 32fe077bf9bbbe18a7b8ba31db1acdc8f7ba758e
SHA256 df00b466e41187945aec62289b655c6f01f1e849624869e74dcde55f25c9f558
SHA512 fa2858bd5c7ad8a56511db322198946124537996e20de62e1a9314fe4942e6f7c5579a210ed637a8b802abb54bcb16008505e06edfd9cf3071d92e875157c3bd

memory/2208-17-0x0000000000330000-0x000000000035B000-memory.dmp

memory/2208-23-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ebee397ed13d5f0e150b2b7381fc19c5
SHA1 267a31e483814c9b8e6ded1ffa83ce7a042e823b
SHA256 720ee33903dd414996bf5506b000eaf172240858a468d756019b0279183f73b8
SHA512 fe8368078a49f9518d37e4851ccc2c1cdf3a7a4082b8fd46bb38d0260b5e2e550b2bf0732ee7383873738d782e7098c3b043b522e3f0666f9d734260822eab98

memory/1988-35-0x0000000000400000-0x000000000042B000-memory.dmp

memory/952-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1988-37-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 02:59

Reported

2024-05-20 03:02

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe

"C:\Users\Admin\AppData\Local\Temp\cfd0f0a7d6a5a2c71cf05d6d3d88a2d2c5b49e1a8645cf902c06e5638005ab43.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2660-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 30bbb6b75769c5bb0bcf764906690d9b
SHA1 4f1f2cc020dddc6d0108812624022e8e53dc65a6
SHA256 4f6464c1bd11617b3a72b98ea2c8762866c5b3da6fd037ac51eeacf95b8d58d7
SHA512 f87b322bebab41e6750efab17f662ed7771f6df9ddc93d681278e8c58844540c78ed302be6bf0f3f374e7bbfad16d5a851dfd448de1eeb5556776027ad6b43c1

memory/4684-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2660-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4684-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 683c3665ae04e6c26c007d8238c0c8f4
SHA1 bb8f11f72de28c6eb5c05651f0691553d2c82d86
SHA256 f181c6913d75f4ea36abf33c2d50cbc74f37e6c72112df485184d0a210218e74
SHA512 c8fff0cd0343069fc6dad56921884013604f631bffaff278091cbfcce781f8ff581386aa10eba853a3a94820a94e84e8cd0f35a8c1030695fa2e70c62f2dd8bb

memory/4684-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4384-13-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ff0a69a7db828df49bce7dcc139af561
SHA1 fa228fb63e66d1f786ff76ae7b7e502b1bea4e3d
SHA256 f04b2aa2512580bbe0bce86589f4f4f83504c75dfbbfa96a1d3570313c248704
SHA512 026d412dd9470b2f41ecd195a0b4ee2b9802ecd157b37311fcd6f3842e2b58c8e1e25ade824646b44f83cc5ed3eba862ef653200c879b1445d1349674dbb602a

memory/4384-17-0x0000000000400000-0x000000000042B000-memory.dmp

memory/216-19-0x0000000000400000-0x000000000042B000-memory.dmp

memory/216-20-0x0000000000400000-0x000000000042B000-memory.dmp