Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-p79hzacc7y
Target 2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe
SHA256 2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc

Threat Level: Known bad

The file 2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 12:59

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 12:59

Reported

2024-05-22 13:10

Platform

win7-20240221-en

Max time kernel

121s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2804 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2804 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2804 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2804 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2152 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 1988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe

"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 789ad43d132970e75072f253d64cdb36
SHA1 751ff2ab4d73974572d51801a61f850e87fac667
SHA256 ff4d1339f4d57b667cfcb22d5beb40359040cf6c93d3aea49e3cf28f66e9fa3b
SHA512 7fd2db8619ff7c68b91486e6659f1af8c2630836dcaa128abc62537b7c1973a96138e1bcbe9a4fbed3258ae243a0e555054682f486153cce7de5580e17078c47

\Windows\SysWOW64\omsecor.exe

MD5 690f57dda96115c4ff3d02ec2e5730b8
SHA1 20d611651f8012155acfff5fa851130b976901a6
SHA256 abaf0adf5991806b8598f0014af6cb76683f21314563fd44e722a32974e2df06
SHA512 90a8c0a668da0bc4aa60f8207d970685e0c64c7ee177ad393e38ea6ecb7dd44021dd326d6185114c9c385a250ad78f55e1ffb6c9f8e872665e179498f6460b3d

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6f5a59952b81e38aadcc76fc3330e560
SHA1 805ed50dd8e605b59bfe42befd35a39ac9e17984
SHA256 e217011271b6a2d952ff098ef667d66c78bca94dab92efd85e9c8b28ab6250ef
SHA512 5ad477451a709908eadd4cbbdbff07cc66adc4ffce822f349f52512cef848030f323fae424617def89f455dd804ed3ccce427f7f0d0aba91865af07a39287bd0

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 12:59

Reported

2024-05-22 13:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe

"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 789ad43d132970e75072f253d64cdb36
SHA1 751ff2ab4d73974572d51801a61f850e87fac667
SHA256 ff4d1339f4d57b667cfcb22d5beb40359040cf6c93d3aea49e3cf28f66e9fa3b
SHA512 7fd2db8619ff7c68b91486e6659f1af8c2630836dcaa128abc62537b7c1973a96138e1bcbe9a4fbed3258ae243a0e555054682f486153cce7de5580e17078c47

C:\Windows\SysWOW64\omsecor.exe

MD5 baf509331a58dacb0b0fa2d47ea79852
SHA1 b03fe91ff77881f8673ff4ef46a4cbf2a3472d24
SHA256 04bb9a0f1fb63173c7f81e62dd35cb138f1a615c5cfab9673657e38026e5fb06
SHA512 d70cc4ab7d5688bed7df83aaf22d1514afb55503bfbf2af3bd3dd78b2210b7b3f1de8fa17e979c23c6348a5d58657ba102c4513da410a419bc4132d8168dab39

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4955cfa618bc3e0428aa155c997172fd
SHA1 d25df9282a6846989bb9f4b8b508d2aabdd991d7
SHA256 5a2a40505df0271ff5bdc5d7c1691bca676adbe14418e2596b6c8cd44448b5b8
SHA512 d5d788fabc9a3bf23aae75395cdb08e92e90cd4294ae8f017c604cc014cbeb783338f3c59c4b142c5a4293343530183d39035128bf30fa10d006455708390bcc