Malware Analysis Report

2024-11-16 13:00

Sample ID 240522-gh559aea62
Target b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1
SHA256 b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1

Threat Level: Known bad

The file b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 05:49

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 05:49

Reported

2024-05-22 05:51

Platform

win7-20240221-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2820 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2820 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2820 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1260 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1260 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1260 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1260 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2792 wrote to memory of 1984 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1984 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1984 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1984 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe

"C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3f422de3490b060a475f1a205584be74
SHA1 7e1beb19de266dda0235781d298c1317bc545568
SHA256 75ebf21fa18123c6af3a366e122845869968168676216bdfacd51d23f9681cf1
SHA512 7f4a216cf9edecf3587ff9a941dd09179efbb20f0c158ded768cb3a1364ddec3f38b5c42b4c62d96c5fdc041a81963428ce45bcd39cedba9e1c6832b5fecc427

memory/2820-8-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1260-9-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1260-11-0x0000000000400000-0x000000000042A000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 0a36148d5763d5293ee1152c6b774396
SHA1 38fd7b371a451e39ca44449ba95080cdb9c822c5
SHA256 0bbd42319fd24c5b6f7e75754e96ed21e2eed87bbb787e3cc50831f55487e98f
SHA512 61017ba5001beaaa599db2467d4f6184a235d613ec41b56f93f0a00abc156bbc5abd76f532e68f162686604c176e3552ab31276afad5877f323cbc159ff4b48c

memory/1260-16-0x0000000000280000-0x00000000002AA000-memory.dmp

memory/1260-22-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0c8fce710d1e24ab4554a47e0caf9443
SHA1 d3d7b12050236ea528091a974c960c0e5cd38fc3
SHA256 1d09b893b1e7b21e5d981b9f0c46a3a7dcedbb405978251be0b96c56206a5ab7
SHA512 fc2cb8a60a8297f07695251e617461bfc476c5d4a8429829a4a8306be26dd97244e1d61145cce9c86a863ca56cd4fc99c3cb6ecfefde537bb585edc6ebfcd4f7

memory/1984-34-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2792-32-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1984-36-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 05:49

Reported

2024-05-22 05:51

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe

"C:\Users\Admin\AppData\Local\Temp\b4f7562f3e3a145a85c1b97a08e06468dae73836a52a164ff336225b664f2ba1.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/2112-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3f422de3490b060a475f1a205584be74
SHA1 7e1beb19de266dda0235781d298c1317bc545568
SHA256 75ebf21fa18123c6af3a366e122845869968168676216bdfacd51d23f9681cf1
SHA512 7f4a216cf9edecf3587ff9a941dd09179efbb20f0c158ded768cb3a1364ddec3f38b5c42b4c62d96c5fdc041a81963428ce45bcd39cedba9e1c6832b5fecc427

memory/1192-6-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2112-5-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1192-7-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 7a9d672f7473170668db837615d30b86
SHA1 3aa02ec6d0d221ecaa968ca3adec6d1cb82507e9
SHA256 a7cdebae9e63273820c58e808e8cac846c7325fa12d2f56b67ca51cc5de7f398
SHA512 7ab2d3042ce7dfb40178c6872cff24f920f5bf25ef70516d4970c34fb47f6198499a581840790e14445c6b082f05c04da8f71ff099ac578ea0ec4060fe70aa08

memory/1192-12-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4868-14-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f7b3b423ae543a9164a3ff750c6f9e00
SHA1 ef5712768da9eb202ad009effeeb365e77498fee
SHA256 8a446eace4764bb80c29e96a2458442bb634fb56b821b0790de5c4d02e513890
SHA512 42a79b02b8bed9000050016e24c7335fbf6a8d7d42de09ed3d8f6cbff137e7d1c7c65b31f09f4e49a0a53a204cc2e4a4cf77962e1c69d6126c5c606618300c08

memory/4868-17-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1020-18-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1020-20-0x0000000000400000-0x000000000042A000-memory.dmp