Malware Analysis Report

2024-11-16 13:01

Sample ID 240521-3n972sdh6y
Target 5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182
SHA256 5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182

Threat Level: Known bad

The file 5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 23:40

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 23:40

Reported

2024-05-21 23:43

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2344 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2344 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2344 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2344 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2836 wrote to memory of 2168 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2836 wrote to memory of 2168 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2836 wrote to memory of 2168 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2836 wrote to memory of 2168 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe

"C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2b7cb605a9a35c95f811cad269f2ba11
SHA1 a23c1f0c62ddd843f71404e25f85b9f07cff37a6
SHA256 bc530de8342e917474f2bd9eb4a1a5bbbf94221894f2432a9e5f52086ab96004
SHA512 fbe02d52113f68409740b0450897bb57eb05c55f2dab7a6d99dba41baa1bf63bcdd609c37d911ecec917534b616750d568ca522ca4363c0671d0495842eb8bab

\Windows\SysWOW64\omsecor.exe

MD5 f86ae9771bfce9b7d8a824034126064a
SHA1 9567fee060e42096993d1db60d2c1da0d5b5d8ae
SHA256 0e22ea611da48723be1f630b44ea11ec57e44040450ab173b9623df61793098d
SHA512 6f9e9ec06e1a8b73b9f0e7dae93dbbc65dfb32e4826614de17ce4d93027e5a44086483cb9ee7a5fede88e843d0a28e41a9e128b3cf95117c588a491891527bfe

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5c0e6f802782cf138a88c68deb901032
SHA1 ea159339a28c13f2ff14eaf945638a0502a83c01
SHA256 f954c5a0b24ba7ccfa51642e791359f7e5be9a17a0514b60864ffdc76334dcea
SHA512 9b58b57a81eaad1254b2b68ec228e90b767fbb4a6b79c1666d070134c34c0ae11f107e56ebaf9e44bb6dbc77043d55fd0ebc7fca8443fca73d5510861cf69051

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 23:40

Reported

2024-05-21 23:43

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe

"C:\Users\Admin\AppData\Local\Temp\5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2b7cb605a9a35c95f811cad269f2ba11
SHA1 a23c1f0c62ddd843f71404e25f85b9f07cff37a6
SHA256 bc530de8342e917474f2bd9eb4a1a5bbbf94221894f2432a9e5f52086ab96004
SHA512 fbe02d52113f68409740b0450897bb57eb05c55f2dab7a6d99dba41baa1bf63bcdd609c37d911ecec917534b616750d568ca522ca4363c0671d0495842eb8bab

C:\Windows\SysWOW64\omsecor.exe

MD5 bd18b6011bdf619211204e53e4ec8550
SHA1 d81b62c31f0a24d3b2ca69a125728b29ee81d785
SHA256 495da2b12f1c37a9bf9360f912021334377685a50653fcded894d31ce24b5685
SHA512 29390936c3bff1917658657766fe4dcebf76303d8215d76fc05051e1e2da9afd5f4165d7e990540fed808b190d74da7f4348c0de905b0529e64aecfd7ce7745a

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1b87adbc99d8a7c01bca621fdb313252
SHA1 ab35df0ba0fd4f0e4cd862d80a3f099d62046857
SHA256 392450f840c41721ce3a3d82b93e2e5039262b843d3f143a8ad33c492e7467e3
SHA512 b54894e3884b48ef0ad876718da743554f11ee9cfa2a307b7a0ea10e526dfa3db4136c7ba1a995460c20a81dc772ed46f32a3c6ddd636ad46f44aaaba247bb6f