Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-a6sfqsfc8y
Target 703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79
SHA256 703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79

Threat Level: Known bad

The file 703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 00:49

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 00:49

Reported

2024-05-22 00:52

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe

"C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

memory/916-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c037c206312b84e835d51f75ef270823
SHA1 b58155fd2871af8aa2247cc326a8bd63e7410c5d
SHA256 ff19daa6ca5622c070053ddb205229f2930dc95c630b37a87b4a54816eecf826
SHA512 2ec6a9e8f042a0fdc88a8bc598bee11ef49ef7b7163ff85537d1764e9f0f59cb03f43e296ae164381d2e725bbc55aed6fefbee600ff965e839535e4ad734148e

memory/2964-4-0x0000000000400000-0x000000000042A000-memory.dmp

memory/916-6-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2964-7-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 928df0ecb02381ece45edb8b26de882e
SHA1 169ed8784b647e7f546447a64e044018c740d815
SHA256 ce464d19e0bf23cbd40fe312e10f168aad362cb4c87930ae6ca17eb312d6b7ca
SHA512 f8c9880ad37a3a9b081e2e3b886342597337495da075b8df602cc6fbd69119c09dfe5b6a780f54d6747d246f6d0ebb606a8a7d8be55dd0a582d6416d210960bb

memory/2964-11-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1316-12-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 85eaa437149e8c23e0cc9be25f3f2768
SHA1 7570bd0a0b3e8c356a4c3b931f244cba186e85dd
SHA256 e4964744d96f70148e11eab07741d7eb7b49a61e062b25424e3bb0559118c8d0
SHA512 d29cb69b59e90df4653517b86d4567d6bb12d850141303afdea594315f98f5f013206ba5708c38737ff495a4e98eea205ede948eaa23c34e09f7113d78f10d19

memory/4552-15-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1316-14-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4552-16-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 00:49

Reported

2024-05-22 00:52

Platform

win7-20240419-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1704 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1704 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1704 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2400 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2400 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2400 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2400 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2996 wrote to memory of 2780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 2780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 2780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 2780 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe

"C:\Users\Admin\AppData\Local\Temp\703cade63eeaae121a90791b6a33e3ec8cba5990773adb4c24a55827d6239e79.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1704-0-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c037c206312b84e835d51f75ef270823
SHA1 b58155fd2871af8aa2247cc326a8bd63e7410c5d
SHA256 ff19daa6ca5622c070053ddb205229f2930dc95c630b37a87b4a54816eecf826
SHA512 2ec6a9e8f042a0fdc88a8bc598bee11ef49ef7b7163ff85537d1764e9f0f59cb03f43e296ae164381d2e725bbc55aed6fefbee600ff965e839535e4ad734148e

memory/1704-4-0x0000000000220000-0x000000000024A000-memory.dmp

memory/1704-11-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2400-12-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1704-9-0x0000000000220000-0x000000000024A000-memory.dmp

memory/2400-14-0x0000000000400000-0x000000000042A000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 adc163a085fcfcc1ba910157ce9afdfa
SHA1 c646f4108d444a19e1e329f4901df236f1775ae6
SHA256 43a62f17a19dc08269aae1c0f86c59658027b424cd54206b54d5d9921dfc1132
SHA512 5fe613670e17add1e87e8f5d72d2f4beae8999938f7f908ae322d745c2da85e5b3262fed99ab5be9943109dda044451c3f7ffeb3992fd13bb30c3f8cdb1ba53a

memory/2400-19-0x00000000003B0000-0x00000000003DA000-memory.dmp

memory/2996-27-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2400-26-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2780-38-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e935759f821f900896303499fdfa40b8
SHA1 1c36d093268104db2513be2f523dcfa7a1ce4768
SHA256 205fefb80bc42c03ba6baa021558ea8a29a857e2ab151b745a16aca76d32861d
SHA512 f57a1c459bf9b4e444fb6d0e038080ed08639ffbcd9c4ca9434465c652c982af2baec948ad13b5b10f3de198a5fc0c2ea6a455ad8d2d7124e675c67acc7b8801

memory/2996-36-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2780-40-0x0000000000400000-0x000000000042A000-memory.dmp