Malware Analysis Report

2024-11-16 13:01

Sample ID 240521-wsvvladg24
Target 0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f
SHA256 0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f

Threat Level: Known bad

The file 0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 18:11

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 18:11

Reported

2024-05-21 18:14

Platform

win7-20240221-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1628 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1236 wrote to memory of 1496 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1236 wrote to memory of 1496 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1236 wrote to memory of 1496 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1236 wrote to memory of 1496 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe

"C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f261170c1a2e532db1e3dc2f8f7fac8e
SHA1 81e8e5790ab8b4cc310c92b41e40f5182a1ca889
SHA256 9c4dae7ad6fb7b79639ad90a03691bc452e2414c86530105cc6bf3caf890c6c0
SHA512 33e079cac8176bf739741a6e7f2bf3fc17a54e1b764eb6c6c41e7c36e8f5ef98f8915bcbbd07ed298417092fc0106fd0118d25be44300e335cb95d2b8adb083a

\Windows\SysWOW64\omsecor.exe

MD5 0e9ba57ff9b35270d2917287dac59919
SHA1 304aa9609706d9a1db4da4b345a922961005e56b
SHA256 07713a7d1f67dcd066890a2fd23398793d298d9f361599ed052f3a6197056259
SHA512 53c0bf540f79c9fe4070eb90c00a0ef57fa871f977847acafe81781da01cf2b9d01b0a16e3b2d70ee92ec43ffaa7b68d60cd104f907e4d08ddea4adddc3b003a

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6696e777a5359c1d8ec8d4b78ce496ef
SHA1 257aee7d6d3dfbe4c7b71d9f2e9faea2c812c835
SHA256 8ea1497ccebe60a0c3255b9205f95302a72c376acc7f4cdd148d76b0ee880270
SHA512 91ce8a267f13da6a7499f401ccd6fb225d7093545efbb7b9273bdd01d8a2521db2f1932f78508f475b1e38d4ea994009976ad7cd2526790d31d6ee5ade603b9f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 18:11

Reported

2024-05-21 18:14

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe

"C:\Users\Admin\AppData\Local\Temp\0327fdd08c4e1980c7b6f6f431976269c6be6ba01b7f0622605761d32d75626f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f261170c1a2e532db1e3dc2f8f7fac8e
SHA1 81e8e5790ab8b4cc310c92b41e40f5182a1ca889
SHA256 9c4dae7ad6fb7b79639ad90a03691bc452e2414c86530105cc6bf3caf890c6c0
SHA512 33e079cac8176bf739741a6e7f2bf3fc17a54e1b764eb6c6c41e7c36e8f5ef98f8915bcbbd07ed298417092fc0106fd0118d25be44300e335cb95d2b8adb083a

C:\Windows\SysWOW64\omsecor.exe

MD5 763dee2fa0489da2102b459dfe77fcd4
SHA1 1eea9d1c9c567bd4f8fef519a3d6e6d20caf9b2e
SHA256 c733ac2e8cb2822d810548114604c86fc628c7ca9e809ee71cdd946c4accec2a
SHA512 0998d5556f301cee423a5e3a7e770a707f3133b80eaafe131fd218a3d6ca00e7b22276c79d13740b283c649f96d1f06012852c257bccf22646d01ba5f9d93d5a

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 19bf301369fafd5fb293e174d2cf3892
SHA1 5196b84011caabccfc07d7a10efa5a1174395a2b
SHA256 8e34d084c2a7190e6cab86254db9bcd2619f2e5880b6d084002f7a89667d9ae1
SHA512 e50d5134e89c430095e7163d154b328266959787baec9cd961e7bd858c45568931150e7450af62b2a63abf81dc70a3d15908b7e72934d5a7d2d5d2f4a918042e