Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-z966qshc8z
Target 4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246
SHA256 4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246

Threat Level: Known bad

The file 4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:26

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:26

Reported

2024-05-22 21:28

Platform

win7-20231129-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1920 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1920 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1920 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2744 wrote to memory of 1472 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 1472 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 1472 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 1472 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe

"C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a6b7e5317adbf83ff7f1b88f3d1d84c7
SHA1 34c3715e44b025ea9fd664f7ba143733bce3567b
SHA256 3d28316449842df8890b08eb56896b497c34e03acfa5c6ebb54bcbb365676ac2
SHA512 8efa65b6eaee72cc24cf449a097f1c94ed77f318f6c54db5f3c8a35c22082ec3e8728f8dd257d86aad65ffb91656945438b08bd1ea755f8cb2ba4dbc765ee8b9

\Windows\SysWOW64\omsecor.exe

MD5 6564ff4482858cce97a8e2208961153d
SHA1 29135529e1a5820216cfc53823510a4a722a3bbe
SHA256 bed52e505c5fecb36bf27e8a8b2c329d4e79ed545e1be66982691fb9fc5f3e08
SHA512 38bd74a54fbab6a3c4ea2e14421e38e18a3eb6bde1bf141582da2e1f558cac290064b9778232f7c6d3e1ea916076039f8aa47b526a902850ff23b7ee22a7c19d

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4d694295edad130bc62a774b26c88179
SHA1 24a0f7e859faacb7a6ad9c10b4543aba8d27af39
SHA256 6b1a19367d2b69835c238ace80523917dc2625cb450153ef7dddf1bde93062e8
SHA512 0c19c945291179151d7c645297da9a5b09ed6365443a91f56165ececf1640474e48f462b22179b49634155d60dc947b15b4da6d687ade0aac9992f1b52019bb5

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:26

Reported

2024-05-22 21:28

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe

"C:\Users\Admin\AppData\Local\Temp\4cc3308f342c60d2d0f39c40d8c44ec19cd15d1f07f06e279ff24e7b71078246.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.114:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 114.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 242.137.73.23.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a6b7e5317adbf83ff7f1b88f3d1d84c7
SHA1 34c3715e44b025ea9fd664f7ba143733bce3567b
SHA256 3d28316449842df8890b08eb56896b497c34e03acfa5c6ebb54bcbb365676ac2
SHA512 8efa65b6eaee72cc24cf449a097f1c94ed77f318f6c54db5f3c8a35c22082ec3e8728f8dd257d86aad65ffb91656945438b08bd1ea755f8cb2ba4dbc765ee8b9

C:\Windows\SysWOW64\omsecor.exe

MD5 7910f00e2e12939cb24dcd2e44b7092f
SHA1 cabef0aad495f04a0851ef21b4f301bccbfcae3c
SHA256 a75ed25853a5fb3b3a20e0d36e851588d53aa4608e610d4b5370c03a7935f0be
SHA512 0f92d7fe0aa3c0f4de41d86eefba395132bf0f81bcb22ad6b6846aa6a150d4dd4d9ac76265e43477f3ba526ac734ac1bc76117e20450f04d9e91dbe2c56266ce

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 eb64cec590d85c81bfc6206ccce3fc03
SHA1 b86a499642fd8c7c7f34aa31c2bd4afa6b5a411f
SHA256 2be629b3877694571cfc71ee2e1bc2b4ab469fe4c3bb0f2922ff17ab95c04e42
SHA512 8a37e1c97cae175420ecab7f6237bd040966b7a1321ca904a79ca48906dc65e3a812388f77c40712e7321c769c1c7cdb3a6ae21453d54424e6b22edb9b2c3c91