Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-dp9kgaha49
Target d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0
SHA256 d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0

Threat Level: Known bad

The file d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 03:12

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 03:12

Reported

2024-05-20 03:14

Platform

win7-20240419-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1736 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1988 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1988 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1988 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1988 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2676 wrote to memory of 1784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 1784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 1784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2676 wrote to memory of 1784 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe

"C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ad112a7823e24e6b70a6a425bd8545e9
SHA1 e13ae8a94a2e01f2051bf78d72a627eb513d1032
SHA256 650acbbc5a72fe3bbfe1cb96ed6617c34cfe7422c7d16c267a8ac3b67e39530d
SHA512 08534dde254180a13072311c2f2e815bb162c2bbe7efc99f55a421ae03d9751f57063114c8d27af41bf3a50f0703c9711dee02323ed6be04f30f28fca353b3e3

\Windows\SysWOW64\omsecor.exe

MD5 540282c922cf0bdd6edc2649327bb237
SHA1 0d436806b6864bae793be513766e94b3d18ea840
SHA256 587fb03494f22e4979d1f75c7d0528cfb7083fcfe9ef57f576e4d130306d31f6
SHA512 0a55ef516e8480ef6159ccc3bdc643a746762b1b42045ba87cb0108052ee0ccc6a20b1189357debdf199312e7aa764013174db0c7d4923f28f3cee5153520591

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0e656ff6fc57f656d2182deefd6938df
SHA1 8dd6471e7585e3cc327364046941d3bf93f06cdb
SHA256 d66cdc6241d7e2a7c7d442cf5d011ea9ffdb166c2dda6be0654042a5f5c9f7bf
SHA512 144352bbd577be1da1cb945f3e00851205ef933e3a34c71bb4ef4a4dbedbb3ca2694f72f8be19bf7318b152d9828d9c56292d55adf1dc14532ecb7ee309fb8e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 03:12

Reported

2024-05-20 03:14

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe

"C:\Users\Admin\AppData\Local\Temp\d4a1372727c91b8be90707d2448684dbadeca4a515376d3cc7cfffd85fc7c8a0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ad112a7823e24e6b70a6a425bd8545e9
SHA1 e13ae8a94a2e01f2051bf78d72a627eb513d1032
SHA256 650acbbc5a72fe3bbfe1cb96ed6617c34cfe7422c7d16c267a8ac3b67e39530d
SHA512 08534dde254180a13072311c2f2e815bb162c2bbe7efc99f55a421ae03d9751f57063114c8d27af41bf3a50f0703c9711dee02323ed6be04f30f28fca353b3e3

C:\Windows\SysWOW64\omsecor.exe

MD5 009f799a9c64f5ff90fd2864752dc265
SHA1 1fa49c9862a4d45fe7c7b5f456f7c922b6e773b1
SHA256 2cf46169accaf86c71a8d160eefab092962212e55b34d160e8b93b46a0084a09
SHA512 56e564d37245a499eb58cf7c9f5e6f02a30b43bd2cb32ee19de21a75424f147a66894507b6e624edcc991042379a2c37ccc2256884d1dd0fb5eae82bd667b362

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8f7c324a3012bb93a9a23114827de172
SHA1 ba6279f58dd60b83b0a639108449e6d1e45c24c6
SHA256 9fbdc5a346bb124a5bb0a15eb02b9b6afb3d75b4710f9047d39f4e30319e11a2
SHA512 aeacfa1a4040f3ef408bdede4648ff9846412fe74f499824262474da6c210e1ef1f34e97c09d44617a6c6d4cae7edbf948d0532d88ced6aec6b4926c5a71fe80