Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-yh42mage9t
Target 241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f
SHA256 241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f

Threat Level: Known bad

The file 241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 19:48

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 19:48

Reported

2024-05-21 19:50

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe

"C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5b2bae4a2f2cc6ac90e41fc415cff5a0
SHA1 76506ef1fade03ea448fc9575724a771cce41af8
SHA256 1d2dc7d890897d5c0f06c9d37e26752bde67f34e3a58e2032191aa73fa213d6c
SHA512 decf6a1316f47c2bdbcf3ef5ad1ecdbdca03ec0849a2e981622e433e2586ca0cf558f67370796d94501bdac8a78d6f8451f4d387cfa5adb380ebde1a46c836be

C:\Windows\SysWOW64\omsecor.exe

MD5 4041b07e7b479a47da5ae5bd32b99653
SHA1 e2401bbf0b22d69565d0bc39f8f6d7b645437e8d
SHA256 f133d467350f49932b5f024099ab85fc0d963800d4b002074895ec661c299848
SHA512 88e02867b6c8b5e94dc2fe0f850a036f035022198954fc630a63675ca80d0f401c58d68174f59569fb78a12e7316b774b6d8ab688916ed2528566a3b887ce239

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0a28514b0b034155682e7405d886e7c2
SHA1 929002e7235559a8a7d5a441d0eeb603aa154fbd
SHA256 d4c0d6e47ef0ec779252666a21623bf18c176a0443a4057444f7533483b5d919
SHA512 3099fad05c7e2e7a40a8fe2578659ce91e27d54c750c7dbfad4acb4bb9aba887b51ce46f7833e6099083374e33ecf1ad801bf9cc24ad570931cb9b08baf7f544

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 19:48

Reported

2024-05-21 19:50

Platform

win7-20240419-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2412 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2412 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2412 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2812 wrote to memory of 984 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2812 wrote to memory of 984 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2812 wrote to memory of 984 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2812 wrote to memory of 984 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe

"C:\Users\Admin\AppData\Local\Temp\241d8b75eb10bda889faf103e2767060ce788c0abaddbd53a2c87f581b422c1f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5b2bae4a2f2cc6ac90e41fc415cff5a0
SHA1 76506ef1fade03ea448fc9575724a771cce41af8
SHA256 1d2dc7d890897d5c0f06c9d37e26752bde67f34e3a58e2032191aa73fa213d6c
SHA512 decf6a1316f47c2bdbcf3ef5ad1ecdbdca03ec0849a2e981622e433e2586ca0cf558f67370796d94501bdac8a78d6f8451f4d387cfa5adb380ebde1a46c836be

\Windows\SysWOW64\omsecor.exe

MD5 ad1b9925a45c6fac90b35b197b36ea17
SHA1 6af2b3680f4dd4c0f746c7f699c29d1ff2e26ab4
SHA256 5cbc31e10508ee67937748f37f16dced48e4837e0f863c1a756b4178222e31d4
SHA512 28945d09b23371a1425f84389525c48fdc733478f6f07221800972a2fd1635146eb3c5a17b8d83508034d65b72d8add1baff205647cf9a4475cc5e659a4f0d3e

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7729887c42d17c42e29dc69ece18e222
SHA1 e5a5ba4802fc9a68622e5960ed1fc449d25d5e3e
SHA256 94d453da89cf884ca97b71fd78e754935ecbf9892bd69b4cd08db537122ecbce
SHA512 3ca2f2c257659c61d11eb9dfb0553a96022a86aa8d5b0946feb00157c46f4a9318e9d1a4e9cd57738197642c51eb9246596970657a447539566558d59b0ab1d2