Malware Analysis Report

2024-11-16 13:01

Sample ID 240520-e91nqsca45
Target f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6
SHA256 f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6

Threat Level: Known bad

The file f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 04:39

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 04:39

Reported

2024-05-20 04:41

Platform

win7-20240221-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1712 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2752 wrote to memory of 1820 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2752 wrote to memory of 1820 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2752 wrote to memory of 1820 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2752 wrote to memory of 1820 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe

"C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 32253a47273278b1128b91830b267488
SHA1 eda4aab36b06bfd22ca9a9235342df67dca71993
SHA256 2ace238d95b0fb8fb6ccef4822cd9cccc76d131bb87dcff53424999430349249
SHA512 8def47f16e1856a0c0cedd955853f40a4771fd7d2ab66b076ae76e28796b6de3e8d2291627bc6138cfea34531688bc6c69a06c0c6318478dd19fdeb540f85463

\Windows\SysWOW64\omsecor.exe

MD5 110af80ab7627254d0bdfb33da0fc9d1
SHA1 9f1f948edad862f1d60bea286217777593054894
SHA256 ebbb47554a3b81278e46c6c7c166078a5ab43967a8c99501c2029419480f021f
SHA512 0c46616e88342ebaae44dc3b22d555dc4f3aebbad28a06ad7e89d1b9be08b1479380c2c676849eb9fce910b6fa784617dd1dded6e0fc7cf1bc8bd2056ec5d1b5

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8be5abf1ca351315c8984e876c3e6224
SHA1 6c06a8bbbd810d9efad2beb902005575b98c74b9
SHA256 d7d0ad6344b2659ed53545bda1163021924c6b8250cd40028f5b2f87cad16e2b
SHA512 8aaea9feffa115e782b5b2693740302267e539e4aff302d85d9f60393258908e6f7363570a7b081e929d5e17515e49354f9615771d020e446acc36479e342031

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 04:39

Reported

2024-05-20 04:41

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe

"C:\Users\Admin\AppData\Local\Temp\f6a9454dcc4624fde6b84056dfeabd85941a8793a7d1adb15970a48216c441d6.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 32253a47273278b1128b91830b267488
SHA1 eda4aab36b06bfd22ca9a9235342df67dca71993
SHA256 2ace238d95b0fb8fb6ccef4822cd9cccc76d131bb87dcff53424999430349249
SHA512 8def47f16e1856a0c0cedd955853f40a4771fd7d2ab66b076ae76e28796b6de3e8d2291627bc6138cfea34531688bc6c69a06c0c6318478dd19fdeb540f85463

C:\Windows\SysWOW64\omsecor.exe

MD5 21bbf310a8d596850d68345057469800
SHA1 ce028ab9516f3961df4db0a9d5042381c36d8539
SHA256 f83b08937d54c18fe89b203f9c4ebee88b23db2214e05d6ce31a472ba37228e4
SHA512 705f421f8ba02acefcf99537dea36ffda8c2cd95dea426f081574c303e54fd1b950c3596dbcecd9c1bf2e9f9f16f178a469dd53425c23a5e8645318c0e93c9e2

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 94a28e45affa6f1759751b08caa3a399
SHA1 d603d25db16de015fb1acecf8177b4a63bf5b7dc
SHA256 ed415e17c4d9796cdb39a49f1f6619d9a4861487de90fa67e3719020a05589ef
SHA512 6584bd1dbe0ceab17e519e4fb5d42f184714ee2a3624df58d09ae8ebae5c1f51be0d2c1efaaaa949312638ac0f81611872f081b8486bc63ae57507eaaea05829