Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-hsqzraff49
Target 23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe
SHA256 23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251

Threat Level: Known bad

The file 23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 07:00

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 07:00

Reported

2024-05-22 07:02

Platform

win7-20240220-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2036 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2036 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2036 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2028 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 1012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1012 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe

"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6729049df9dcdf60d1a4b2d66185d9ee
SHA1 8e3cebbac162379787c43942a49fda1173bf60cf
SHA256 f9f9421b8036812e1789e90181b7ecd141f5edb4b22303a334da65114e7c1647
SHA512 2b6025253c3b0086fe52ee6e4739f7660542d2625b5f7f8c58c033b4c9526dabf64de95485408cfec464e172010f6cc43032d43b04dfc05c90fa522dd9547f9f

\Windows\SysWOW64\omsecor.exe

MD5 41368f07d588b3169b9603c7ac675c3d
SHA1 7f07fef0f29af7fa0569be43880ea2eb625e792f
SHA256 1cd64a1df9da50d3be9ead514922922629dfd5e6c5c45675c00014f9b3a7a81d
SHA512 88ba30746083a58e787eab5c94a0d2c7c6d17ae289dbc3008adb540b4841babbaead4958ce42ea97865cc303efb1b3f78bf996449c3ba3523323ea8dc2918efd

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1dab643aaae5611efd5d42a87d3ace41
SHA1 ad3d9cd379d182c0d1a1575b41797bfa9338240e
SHA256 068ebe93f9c6ce09850371d263ec6f5e5882980b11a578883bc08c564f0c44a5
SHA512 d5196a119cc8e6bd08d77d84281dd8453f5f0ec923fb47fcb44048b2abb70c061ae72328a9f2a9180c3f5fff17ee96ec9d815caee6f1485230fffba3daf46f6b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 07:00

Reported

2024-05-22 07:02

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe

"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6729049df9dcdf60d1a4b2d66185d9ee
SHA1 8e3cebbac162379787c43942a49fda1173bf60cf
SHA256 f9f9421b8036812e1789e90181b7ecd141f5edb4b22303a334da65114e7c1647
SHA512 2b6025253c3b0086fe52ee6e4739f7660542d2625b5f7f8c58c033b4c9526dabf64de95485408cfec464e172010f6cc43032d43b04dfc05c90fa522dd9547f9f

C:\Windows\SysWOW64\omsecor.exe

MD5 f8bc576c9ca3b8f4fa3c7f62072812bf
SHA1 a747c9870216e5863bf85e46921242e3040fae3e
SHA256 de6eb7076c324222b6f286c5fd64ccf8f5eeade4fbc6610c53ec22756ac539a6
SHA512 e1849e55144e11668538a59fd4f4a568c756cd91e2ebc940a102d54072d8904218e868cb9978b8476523bd1d8ad682cff3b22a1874592355bb6ba0fff999605a