Malware Analysis Report

2024-11-16 12:59

Sample ID 240522-b58xrsge9v
Target 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6
SHA256 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6

Threat Level: Known bad

The file 7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 01:44

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 01:44

Reported

2024-05-22 01:47

Platform

win7-20240508-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2384 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2384 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2384 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1208 wrote to memory of 1572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1208 wrote to memory of 1572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1208 wrote to memory of 1572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1208 wrote to memory of 1572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe

"C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5842d1ee87f8e7563bf511f5ba78904e
SHA1 6fa5edea48945a9382b9f5bcbd001d83deeeda07
SHA256 86162eabb5938da7126cc6681803195fe4fe6c9dcb684a92f264bc332e488fe2
SHA512 2baaa512739e0a3f619643229602ca37d68bece450bfb3dc48a1ff35dd468f5338b45364cc0d287f0ec95365faf5f70bc36272fabc9ac2f3b7c9db53b7e50a80

\Windows\SysWOW64\omsecor.exe

MD5 a8924cdff4dd73db15e7a2dde74c8c62
SHA1 b1fe2053f273a019a21cf3d227c33f3da57ca26d
SHA256 3029d67258c01badf367558233871ca57f7523b94dc107bf315dfea959bc4382
SHA512 fd68f17fa44ff3895bf7262b89f2520b1af50b304ed66932b7cf566fd56235c8e6774e1cdb26b58baca386154a547de3624606d0ec9e1e27ce6c59aa890bb799

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b679eb5f3d0fabdcbcf1b9674e782844
SHA1 a16aa1176acd10506b9c4f7b0d89fcf28c8fe38a
SHA256 df04cbf95589e3a889d75244b0240da1d7d34b5b041ac34fde94a56782c56490
SHA512 a23f85430a8bad24acb755e299853c19f6fe962a29a6502278c53f1e7b3c3af903f48bef1afd77a062f5f925a640d31b21c374a2b015cd1e14ea55239d129438

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 01:44

Reported

2024-05-22 01:47

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe

"C:\Users\Admin\AppData\Local\Temp\7d9e8c0626a66fbc9504b9fc864cb565613f263d423180d55c97c8b410e44ee6.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5842d1ee87f8e7563bf511f5ba78904e
SHA1 6fa5edea48945a9382b9f5bcbd001d83deeeda07
SHA256 86162eabb5938da7126cc6681803195fe4fe6c9dcb684a92f264bc332e488fe2
SHA512 2baaa512739e0a3f619643229602ca37d68bece450bfb3dc48a1ff35dd468f5338b45364cc0d287f0ec95365faf5f70bc36272fabc9ac2f3b7c9db53b7e50a80

C:\Windows\SysWOW64\omsecor.exe

MD5 45edc16c07b947827aa5e8d585c1df76
SHA1 1c73c563029ce170c630949ad7d5037d153209a5
SHA256 4ea3c8ed8662d3b1e91c0f264b412acfac63bd09bd1b4b15b32781fb15ff4db5
SHA512 88d68d8c19141e5d1d4f7bdc4b286d2f342ee44e0d43ecbf1818f33bf72fc3c21d3ad0b51d189201860443e642d1b43685f1f70b9211237e96dec68af97f3f41

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3017f7b96a08b5eca671e2d291c00219
SHA1 3a978c363fc3f3e8f08065246b0a773fabdcc18f
SHA256 e8988402370bd4dac50fccbbd9e3b792bd230df3c00da14b12ddb14d70f2cb57
SHA512 a778915366ae6593b13af547ea73a614cb02f801d3e9ab9a0c49636170a37a074d3cb647e5acf128f26fbe37214717c4bf9a23be22ac9e897adb3bbfbddf2046