Malware Analysis Report

2024-11-16 13:01

Sample ID 240521-3wrexaeb44
Target 619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5
SHA256 619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5

Threat Level: Known bad

The file 619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 23:52

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 23:52

Reported

2024-05-21 23:54

Platform

win7-20240215-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2232 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2232 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2232 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1652 wrote to memory of 1780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 1780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 1780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 1780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe

"C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 61341743660419ceb38e456ae0d31992
SHA1 637df5023c8b0bab0e43148d8acff4dd36adca24
SHA256 77ec1a4a59a4f795ef76377c79730089927dcda5dc1fa2cbc9d6f3a12ae87205
SHA512 7afcff43e897d8d4fa88bf8045327923fc857fb142dd0f7d4a0224fcd1ef804538c4cd70828e4a6413af3c14cf554bcbdbc8dfc78e770e4172e4041356af5e1c

\Windows\SysWOW64\omsecor.exe

MD5 6aacef6b0da2fd3c827bc3b4abc03f07
SHA1 5e149d939596ec149137e479d1d89fa950dfb3cd
SHA256 a972745c074cb8c3fd64a8e6680952b9b57f3ec6a72448cfa3bc598c76ca4c43
SHA512 c546060cf5c3b4db815fcba540a5090647812205335c58c732ea150fd89cafb9c44c88f6d0b3df09220ed7fbdb4e78e815886617ecbf5b6637e57595351da925

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 78a485d1ab9ac42600e20ead8c129e96
SHA1 ec9a278f36aed8106e6354d3e172010152c5283a
SHA256 76e8dbd4d6506c98722ceb327bd91ccbb85344a10fd9c982558d28c7d480b553
SHA512 d91fb1e6b00c5b0e8ae1cc34c027e5da9df07925b3454c57bbe565132481739e3827b97bce743fc606c28fa6521b5e05b6b16553a7fbd6526ab22c9b34184e2e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 23:52

Reported

2024-05-21 23:54

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe

"C:\Users\Admin\AppData\Local\Temp\619c5f70e305ea4f00b249bc3f3b5726b4aca58cf0b9a0eaf84b1492ebbbcbd5.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
IE 52.111.236.23:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 61341743660419ceb38e456ae0d31992
SHA1 637df5023c8b0bab0e43148d8acff4dd36adca24
SHA256 77ec1a4a59a4f795ef76377c79730089927dcda5dc1fa2cbc9d6f3a12ae87205
SHA512 7afcff43e897d8d4fa88bf8045327923fc857fb142dd0f7d4a0224fcd1ef804538c4cd70828e4a6413af3c14cf554bcbdbc8dfc78e770e4172e4041356af5e1c

C:\Windows\SysWOW64\omsecor.exe

MD5 97adc7c0ff5ede8bd16b1efd5adf63b7
SHA1 e501cd25d77252f4d317307cd47e8d41653b1cfc
SHA256 0ce38b78ee8025a2e9cf92470c66fb18525024c9326703ded386349e5191e0d1
SHA512 928980e8fe765636c4c43dc1839109b2c891ca78c389099b47792c53d55fdb1089726f4240eca06ce58493c6726b740436835678ebb58ed32fe028075bbd5528

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7834d1ab0338bcf3170e1c2f57dc4d72
SHA1 a58b35167b37ffbc67c430edfbd3e004346a822b
SHA256 0d26c3d50c28b347200bccd53ad507b91e9d0f71c74fa8a831a51e2635a312af
SHA512 be54a57babc99762fcb683d6c54b44c462e34e2c409ed95c286e1805d0ac047e4f2974fe1408a75c321b2bf41ac27e7ff69dd647471ba2135786d0c36b25dbc7