Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-gfa74aea3w
Target b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197
SHA256 b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197

Threat Level: Known bad

The file b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 05:44

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 05:44

Reported

2024-05-22 05:46

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 2008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2336 wrote to memory of 2008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2336 wrote to memory of 2008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2336 wrote to memory of 2008 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe

"C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2116-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 799dff4063a1a17a50ba7f252509baf3
SHA1 7543cdc7d493f649872f195443204c9162dc21b0
SHA256 762650178482cfc9bfc425ec160b21c65c295e8775e3a587461f3a91a14da9c0
SHA512 36fabd6bf9f2ab6e621f55ae85865e9427fddb8958d895028c55155d8cbbb04921d4f5d8a24d2f22c40dd20ec6c2cc69a5c4a185e708e579938e7a3f39a4a9b8

memory/2192-9-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2192-11-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 a569269768d1273cdb5020370032603b
SHA1 79f3f4880841ca2960b925e5a5d9635383e45389
SHA256 8b56958ac27bc00611e462530e41ae023da006a383f55ac4f14ae16c504d21a6
SHA512 d4581a877e1b6bc18064b186120ad7bcc459fa76fc7824e1d651085a2e11f1e372f445c694e2721a9b990a1dd32afb62c5982478bc1ebc9fbed15a93fd916d59

memory/2192-16-0x0000000001F30000-0x0000000001F5B000-memory.dmp

memory/2192-22-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fa05d44cd2faa36702e23ef22f71b500
SHA1 0c7409686a92bf034dad05d287be31712f3093cd
SHA256 1da1680c00b38f6f4a8796d4afe97693138d6147b1e8c203fda1556d2de42f70
SHA512 bafe62419913f76fe550a43d742ec5dcae5198ca172579a93736965b3daa6dfa809f82c6507f51f4bbb309c812c57fc5554512d7883375033a544495e62907e3

memory/2008-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2336-33-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2008-36-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 05:44

Reported

2024-05-22 05:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe

"C:\Users\Admin\AppData\Local\Temp\b3b3bdaa466f6a514d068e0fc85ef3e1b69314744719dcd3aa6a8b8ed47e9197.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 52.111.229.43:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/4504-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3080-4-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 799dff4063a1a17a50ba7f252509baf3
SHA1 7543cdc7d493f649872f195443204c9162dc21b0
SHA256 762650178482cfc9bfc425ec160b21c65c295e8775e3a587461f3a91a14da9c0
SHA512 36fabd6bf9f2ab6e621f55ae85865e9427fddb8958d895028c55155d8cbbb04921d4f5d8a24d2f22c40dd20ec6c2cc69a5c4a185e708e579938e7a3f39a4a9b8

memory/4504-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3080-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 2dab951a8d0dadc37eaea0cac4104329
SHA1 55cb6ddd2320c3075605a67537684158902bef48
SHA256 d7b45b700d45401d4732878f41956f2dcf5aa0e117bb133f5828088905e03075
SHA512 dabbc6219d5ef2fb57fc7f95900856333fcff48e799693cd3df0743b5d92822e0d5e79d9e83a624c22f7608427122cf0c830d55c97d8d541cc9bd8fe67022051

memory/3080-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1444-12-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 71a596da9a548441311e822f0e8f3923
SHA1 30222258df8d4940107344874d48fc384db07c05
SHA256 9d1229cc62e0604fab838b06795230a2494cb8774b1b3b4d27bbee97bfc73302
SHA512 182d5acb5ed9db1172002d9c9c3a6aa30af97a89011f328ba6105d9a59d82a767cf128dde696d9b243a1bc10ced5c9e68126e6531f886debe05f7b1ab5450a4b

memory/4216-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1444-16-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4216-20-0x0000000000400000-0x000000000042B000-memory.dmp