Malware Analysis Report

2024-11-16 13:00

Sample ID 240522-elmf7sbf7t
Target 9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151
SHA256 9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151

Threat Level: Known bad

The file 9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 04:01

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 04:01

Reported

2024-05-22 04:04

Platform

win7-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1684 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1684 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1684 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1696 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1696 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1696 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2844 wrote to memory of 2020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2844 wrote to memory of 2020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2844 wrote to memory of 2020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2844 wrote to memory of 2020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe

"C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 16a4ff03cfb1c46753437c5fe9dd124a
SHA1 32526b33c34a019d4d8b946f2c342cf8aa3d511c
SHA256 c8a50a2af383bbaa1a612a9e9a85781bd9c913bafe1e4ad829fdb61fe0a32c1f
SHA512 0420d59332db5eb8a8900a3b4b924f1317f7e6c8cd9acd02a9377a2e19c833e1be28c9fbff9033f3a010280d7e6eb1e713d090bb89789b05e15dcecf0ead703f

\Windows\SysWOW64\omsecor.exe

MD5 ab61eeab19c4a7700597bcc5d7516e0f
SHA1 2ddb231e871a72e9261351a311a2b2477d987450
SHA256 42a98eaf7f7ffe9a7577bef7ba0a0f87736b423cea28bff0cbc42271bbaa5ed3
SHA512 52b5dfb0cf1a67ca0c1627a2c75a71958e1ec7517abbe698721e6a180c9e84033af04d1b4df3f1179f1c48bdf43944a4c6b2a46bd8387bf7d69356fff3a48f50

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fa0a167ecc04bc264a7c8fb74082be22
SHA1 9a998bb18083fce4df9e01ee9c09e531615fb5c7
SHA256 edc33eb172b05560649ec458531beaac989ad288d48dd88f3fbfed1750afcae9
SHA512 47391d2ef6d62791764af756581679fbdaba22d9c46bf604ddd81c59f79552989f4a8128357bb2e614b68e7a35d336a1901eb6c7b5aed167b2a692fef32f13db

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 04:01

Reported

2024-05-22 04:04

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe

"C:\Users\Admin\AppData\Local\Temp\9b825e9ad885a56eecd13ba01faf4afd951520da2ff507635f8f2122ac818151.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 16a4ff03cfb1c46753437c5fe9dd124a
SHA1 32526b33c34a019d4d8b946f2c342cf8aa3d511c
SHA256 c8a50a2af383bbaa1a612a9e9a85781bd9c913bafe1e4ad829fdb61fe0a32c1f
SHA512 0420d59332db5eb8a8900a3b4b924f1317f7e6c8cd9acd02a9377a2e19c833e1be28c9fbff9033f3a010280d7e6eb1e713d090bb89789b05e15dcecf0ead703f

C:\Windows\SysWOW64\omsecor.exe

MD5 473d273433328ae729cd2e2c48349ad0
SHA1 a5db6140ca5c3cbbca3350c6c884ca97eb180109
SHA256 975fc766436bf94bacd4d1846cac8d1c41eed459137b9ae2c3e87ef452a69af5
SHA512 57dcb11ed3c090198134d6969aeab26951cc245f1fbb1f705ffb70742d7877bb5b1add275939e77a32dd5fdbb973661467fcc7e08a61f7fc47678e9de0941a91

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 17040f670323abf1592bacddb563f5e6
SHA1 21d48bca11e498689b23ef25a5208ccfeaf5b2d0
SHA256 513f94c806abdde1e951c5c6efcc44293ced3be203cb67d67c464a502bdf6f1e
SHA512 b2ea72d4f5cad46061f7cc42c6e847876152db838f16abb029e39474636c84f02fb6a0589a401d100ef95e48c28f46aa46cab61c922c583848d6cea862147da1