Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-2dxnjabd66
Target 4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe
SHA256 4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad

Threat Level: Known bad

The file 4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 22:28

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 22:28

Reported

2024-05-22 22:31

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1792 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1792 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1792 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2864 wrote to memory of 2420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2864 wrote to memory of 2420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2864 wrote to memory of 2420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2864 wrote to memory of 2420 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe

"C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7d9802727d3d6c4b694e4150f2f4a027
SHA1 26a31db9454de541eef66914d593cd55a7233a28
SHA256 75b8af8fd72803d087379428df21556dd132ad0dd8107b800e53731e348ac408
SHA512 886f9543e6e2eea965edd4678e5525acb12ede87454439a746ef802192a635908b450e5d2f2bcb877cbf547e790db68aabea78d503ac6c3beada2e9f693ccd95

\Windows\SysWOW64\omsecor.exe

MD5 af6eaff717447e122338265e78a580db
SHA1 fb87f36f5db271d6d5bf7bea140d4101a7520167
SHA256 3e7553fd63889caeb9761edbd7f781a4901539de547291749e1a37e5cc0360f0
SHA512 a3d3ee38995ec5f3082d78b20fde2cffc3db1cf2a2a16f45f000dd0fd6fc95ed3117788e6ca1c00eccc740d9ab1db0d77692317276fea90fea26d8c839572ed6

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8921920a284c53c58bfa60e31a18ee59
SHA1 5ae0f75da237f2bf018831f7a787e9e0903a5c6a
SHA256 a56b21ac1b196b1f419bc7be132926157469f2f14b051b840c46282a5f1bfe52
SHA512 5f1b8f2d70a8abc64fc55ea5f19553a2be062705c62eb49c2eb2a6dd240ab55c9392213e0c93a326d35e0f9640e940a3e56fe5cd638685e1d47fa45972b178a2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 22:28

Reported

2024-05-22 22:31

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe

"C:\Users\Admin\AppData\Local\Temp\4c325d660b7a7eff347e653cc48a60d008eb65638f9157577ba174a1d7edbdad.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7d9802727d3d6c4b694e4150f2f4a027
SHA1 26a31db9454de541eef66914d593cd55a7233a28
SHA256 75b8af8fd72803d087379428df21556dd132ad0dd8107b800e53731e348ac408
SHA512 886f9543e6e2eea965edd4678e5525acb12ede87454439a746ef802192a635908b450e5d2f2bcb877cbf547e790db68aabea78d503ac6c3beada2e9f693ccd95

C:\Windows\SysWOW64\omsecor.exe

MD5 f013289f0c72a45c9c6cefb700138cbf
SHA1 1b6aafac571731a2b462f51a319fb05385c126ba
SHA256 ebac40d9a051afea8c2242984870684e44b48ba9de59059454877d2d8c248848
SHA512 553619320ead3abb35120c3ad0d42c792c86832f926360a3ef5b498e1acab03ae845741a1d97cbbdc5eadf4c5b062b725eaa605210f497cb0e3083bcb492d470

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 777870b5fe9e776f3ce5dd480efe2c48
SHA1 0d3218123255a6b1f04e070647b88163288b544e
SHA256 e2d735d8b880ab96299bfc7354bb801bbe025d3f0823368243067b2a7b2d3f5c
SHA512 21354af95706f768d594931a65b6a76a0803d88911af133c7a6388fe71344ce218fa61d3c96fae101297deaf7e76b7a546e531349cf1cd93cd444486eb6d35fc