Malware Analysis Report

2024-11-16 13:01

Sample ID 240520-y6p8dafg84
Target 0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe
SHA256 0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad

Threat Level: Known bad

The file 0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 20:24

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 20:24

Reported

2024-05-20 20:54

Platform

win7-20240508-en

Max time kernel

120s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2888 wrote to memory of 2044 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2888 wrote to memory of 2044 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2888 wrote to memory of 2044 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2888 wrote to memory of 2044 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe

"C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f0a1260896500ebedad267bd6e5fdaff
SHA1 829670feaf6045b4aa97c7992c299049bb6d59cc
SHA256 99fc8980fe86e510363700c8af165a6328000bfc4a240cb9ffa6c30cc908619f
SHA512 28d01c6d8fb7f72f6097102d2ef962eda0543ac9eb1ad8e7c6ca058e870f068f411155acf33f605cbd9ae7047dd5dcd1470ed2bc285a857e320f77b170c60dd5

\Windows\SysWOW64\omsecor.exe

MD5 e9a6af68f6d438fe40061f4e35eafdfc
SHA1 e1fd9cdf6fa5d2c92979ba0c516fe0728e29b7fa
SHA256 112dc5a1a76f3aee5a08458b8611ad1da587623d4d38b02aec5f82258e7c578f
SHA512 a21c5ac9acbbed59edd5237619291840cc17af9f0731118b250b8dd2f0a4f980e7790ba7b8160ba7cd4860b612abeed369969bbeacbd5e2aade62f0416a40a29

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4019a72698806b11b12b943bd590ea45
SHA1 f7d9f38cc061153f7e50b0e6a5ec209b44b72e46
SHA256 304b0a1f4a3326ebe88bd477615aea0d80e45c595ba01a3047169a1cf9542d56
SHA512 d52f260df718896bee10898cc7409fac31a971907982257866f7b41eb5f82a7d6273f9121716f2461fec89add4e3d9915de294178fdc93f22059be2d5332dfb4

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 20:24

Reported

2024-05-20 20:54

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe

"C:\Users\Admin\AppData\Local\Temp\0340d73f65aff4010fea6e040796b82088bbd6a489d6f7b21a8aeb325780d5ad.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f0a1260896500ebedad267bd6e5fdaff
SHA1 829670feaf6045b4aa97c7992c299049bb6d59cc
SHA256 99fc8980fe86e510363700c8af165a6328000bfc4a240cb9ffa6c30cc908619f
SHA512 28d01c6d8fb7f72f6097102d2ef962eda0543ac9eb1ad8e7c6ca058e870f068f411155acf33f605cbd9ae7047dd5dcd1470ed2bc285a857e320f77b170c60dd5

C:\Windows\SysWOW64\omsecor.exe

MD5 933a7a2b47ac9208fe03ca8730867bcf
SHA1 7dc1b29cc62c40450f2c547d10bf7ac3f33fd534
SHA256 cd106c326df2e951e547decf570ceeaa9b415664c65ef0423acdde7af46cde89
SHA512 08b74f6693f206896c324c7f5ad0a6519dd03fa45eb2ddfb299cc2354f4cf3a88d93c6bec88cbc945772b2eb2dc18951385c638a0193d9975c6752cafa2c788b

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 48ebcfc6a39b28f2d6176680d8baffdd
SHA1 dfd1c01db42113a961cf3bcde403c455dc4786f9
SHA256 64a57f6b03bd093577775c40aed3f455a2e95ef6509218eb8d05339765d5ced0
SHA512 8f11c615aeebb2071052df831ac07eeb05b2053ad2803e5ae16b9cdad4680ec09297e7b300b0b10db77d650f519b029061df561becb27e72b8f6c5717f2c09f7