Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-2hg4mstcpl
Target 642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f
SHA256 642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f

Threat Level: Known bad

The file 642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 22:34

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 22:34

Reported

2024-08-15 22:37

Platform

win7-20240708-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2592 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2592 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2592 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2592 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3020 wrote to memory of 2724 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2724 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2724 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3020 wrote to memory of 2724 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe

"C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 703edae68cfe269f1f88159a1654e06e
SHA1 9858a53d32a87097c674ae2e859133d80b0faa4d
SHA256 7b7a53cbbbab16a94293ad841f719b8179df4229abaaca03f517cd6286c0ac4b
SHA512 af10a8a94c180980e8ba7f4525d19f4f406eaddc8617aa735deb7621e1d4397183d1054c25781c8fc64f0c12ccb3d3b78500cf2298cd80d7ea9a1d4e2a6e1e24

\Windows\SysWOW64\omsecor.exe

MD5 a987072e23614fa71cecaf4567dfdd3e
SHA1 10170cac5ed56149e9a1a17b4b141e75bb22afad
SHA256 ed9340a0b9b1170be15148a3b64688f85e9e9fb978ce6eecd15218e1ae9043e8
SHA512 1487f1cbd840c7c0ab8407fc32a652aa75a085421b9ee7b5cab63a8086ad2e0b8d3ebf5935fc8b270d434c45b1d1452b546294c8f9ee811d44b737f34ef1b99b

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f10b45a5c6cb6853157f5ed2d19a619a
SHA1 039629493974dbbf8fea6793156f34a3324e4c45
SHA256 9acb59e9a1680ba4e0c0747ec7152934eb4aee77fbe998bee8128fc800926349
SHA512 99fea7b5c5c748762d6530f10fd21c5e97f17522e2129ed84b5f1a0b9d0227e9193f4c658366f15fa0379ee3baa9235e2c87dd1391b1b0e12037188c5936218d

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 22:34

Reported

2024-08-15 22:37

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe

"C:\Users\Admin\AppData\Local\Temp\642d34b7e7606e7bad2ab87358338338d5071ea9088b776af6d0d9d8bc94405f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 703edae68cfe269f1f88159a1654e06e
SHA1 9858a53d32a87097c674ae2e859133d80b0faa4d
SHA256 7b7a53cbbbab16a94293ad841f719b8179df4229abaaca03f517cd6286c0ac4b
SHA512 af10a8a94c180980e8ba7f4525d19f4f406eaddc8617aa735deb7621e1d4397183d1054c25781c8fc64f0c12ccb3d3b78500cf2298cd80d7ea9a1d4e2a6e1e24

C:\Windows\SysWOW64\omsecor.exe

MD5 28b91801c0a83ba179484b68a51130ec
SHA1 2ec6da6bc03be1729406898ffa97ce9ca9169af6
SHA256 09802344c1d57e98cbd66ca50440a1ce35ad31d48ebeb06e6bf219c6f1cb3303
SHA512 b8f6a8592d9301132b780dab8e5d068e3c7e0ec9b69b3660735f98fd12951a3196b2490f30eba814160781cdc79146e446587795bbef13f0e0286e65e3496476