Malware Analysis Report

2024-11-16 13:01

Sample ID 240524-c2z15aab71
Target bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906
SHA256 bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906

Threat Level: Known bad

The file bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 02:35

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 02:35

Reported

2024-05-24 02:37

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2416 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2416 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2416 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2204 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2204 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2204 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2204 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 2612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 2612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 2612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 2612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe

"C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2416-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 72c30eb34929a48e7bb33c1e5c04c70f
SHA1 2bd989cc9f0b2f5eb95f5af3b72c67a36d3bb2bb
SHA256 8f5fa24f8315ba65815157336aa96b68e8a4fe466008a3e2cd64404cdbf1057b
SHA512 0ebe8925aec9544005f01f39974e21bfc1bd9c768eb1cc2264c3148429926c14e79ff1e7bf0c60132219550d7721af0a403fb42f12327f8e46ec5aeaa723578f

memory/2416-8-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2204-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2204-12-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 f2acdc0e1180089e8a3c1e3d4a2740e1
SHA1 ef9f4528173737ce7a29651b5a6591d178e5a0cb
SHA256 408198786f2fa39264959365bfda801a6054433736491d86ab67f6fc74eed6ab
SHA512 f7b8dac6379621f1d0e920a13938e557278ed3398fc35eaee2c47e23d216025f1b9bf360a586992a66214cb4009d36e75b156e891e889866ab871a2e444a2061

memory/2204-17-0x0000000001F30000-0x0000000001F5B000-memory.dmp

memory/2204-23-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b565bc548ba11a163662247fa2aaed98
SHA1 bf303e02076ebd82164bd5bbc0de4637c33215e6
SHA256 5dcc4b5351a89b2a18b06bbb53a09a5c4da0081b880945aa11a8559816c8ce65
SHA512 631df2eccdb0c575b1481507959ce6a3ce7fe1be82ce945b70dc6bef483acff265edb1dd45fb2fc3aea9e3175343482483aa8c935d3ff65c80a92543a7d6861d

memory/3036-33-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2612-35-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2612-37-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 02:35

Reported

2024-05-24 02:37

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe

"C:\Users\Admin\AppData\Local\Temp\bd1155b711071f1be18a677d7a4105c63ed19929e3e11ad3ee093120cb4bc906.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 52.111.229.43:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/4504-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 72c30eb34929a48e7bb33c1e5c04c70f
SHA1 2bd989cc9f0b2f5eb95f5af3b72c67a36d3bb2bb
SHA256 8f5fa24f8315ba65815157336aa96b68e8a4fe466008a3e2cd64404cdbf1057b
SHA512 0ebe8925aec9544005f01f39974e21bfc1bd9c768eb1cc2264c3148429926c14e79ff1e7bf0c60132219550d7721af0a403fb42f12327f8e46ec5aeaa723578f

memory/4504-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1232-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1232-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 8fdb6d6df67db6c4d02e79468b3df32e
SHA1 189824084d5c1c91da1bea569fe94d86e4408485
SHA256 a77a01e8237d9f76c1609aa55d3f36caa6291a3cf9ea84876183db83ffd23c2c
SHA512 d78f6aa589e79d8be8bd26c523addc404abbe3fb216ede08a692e29037be78dfff13fafd74be1169730e903a7d8720399ef187c8fda868e13b5ec80d16044228

memory/1232-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1480-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1480-14-0x0000000000400000-0x000000000042B000-memory.dmp