Malware Analysis Report

2024-11-16 13:01

Sample ID 240523-cr6e6aac6w
Target b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6
SHA256 b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6

Threat Level: Known bad

The file b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 02:19

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 02:19

Reported

2024-05-23 02:22

Platform

win7-20240215-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1200 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1968 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1968 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1968 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1812 wrote to memory of 2220 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1812 wrote to memory of 2220 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1812 wrote to memory of 2220 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1812 wrote to memory of 2220 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe

"C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f387b544f8bfbcf11c9ee8cefc9b256e
SHA1 59a2bc3032b44e93b3eea3f73f706280e2db22b7
SHA256 0297917b646e11270e4478c1da4df711cfa5f4ef98a6aa36f540b65390957557
SHA512 bd66feb2da8929252da9d5b1c33864831fbbccc959bb008301729d145c603eac554a22de28298224e64ecf1e89326187305aa0da5de212c6dfefdc141a72467f

\Windows\SysWOW64\omsecor.exe

MD5 d3ed945f8d2057e870c008c8f5d327bf
SHA1 44a74efb7db0fb284ae0089e6e2f0e00dc83b5b0
SHA256 b81271fcd44422fc9070d5ecd55e9c3a5b1430d210e92be1381bb3c50f12e309
SHA512 88be84f8d4bf665104e93b939c2169f22dc438c44cf996e630093ffa186c354706748d674efb659bb9bbc2727a47cc2cb9f86504479d7ad6f862d3ea238f46ec

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 785f64ec1d981940a88b71b632e63a00
SHA1 db7dade7a73011e121edaa471c39a0b41219d64b
SHA256 26b276ad60fb03f9c15cfcd7d8f55b2aefc5121f7bebcee0d30459be3003c482
SHA512 1259e0810a85e1fe38cde6ed6de0ee39315ee8d289d4c067b0ce94ebe41e4aaa7cf8617b67282324a8ca8127744aba57740364a63dfe527532ea2ef4559fab70

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 02:19

Reported

2024-05-23 02:22

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe

"C:\Users\Admin\AppData\Local\Temp\b926ffef81b990a31b74b6d0a9756e9316b6749dd8ac77dd7921d471c2e351a6.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f387b544f8bfbcf11c9ee8cefc9b256e
SHA1 59a2bc3032b44e93b3eea3f73f706280e2db22b7
SHA256 0297917b646e11270e4478c1da4df711cfa5f4ef98a6aa36f540b65390957557
SHA512 bd66feb2da8929252da9d5b1c33864831fbbccc959bb008301729d145c603eac554a22de28298224e64ecf1e89326187305aa0da5de212c6dfefdc141a72467f

C:\Windows\SysWOW64\omsecor.exe

MD5 b70cabf61a95dc58b1bb7906b54de825
SHA1 bd014ff82b691e5545ed0cbb672404cbf3a74f2a
SHA256 d376d9ef9c363c1c2e68bb134f8f00da84da6afc2b7d0e9936290c08829db86a
SHA512 1cc89e80883e194c4e56c455c9903ba87c23d648c037db4ad300b59bd45d521b6b2aca55e90c8d69be3b6952736120dd889bdcf497c8555f7bdf5d83a947131b

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e96d4934f0ad4720210b5a7dfabbc2e7
SHA1 f8930f5af3c6e38a9ab5919a0940a954d57a827e
SHA256 7e486b9b1387e8f30d3fbe8c24e517d3926cd7297aaa6da9c2fc1b1f864b36cc
SHA512 e84cb7a546412315168051a18290e8c81260b048f86c59db60bb029bb82f38187e1f202e5799534ce72380984a924dc512493efe8793702eb01efdfd68be0229