Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-2wq9gavclj
Target 6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24
SHA256 6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24

Threat Level: Known bad

The file 6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24 was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 22:56

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 22:56

Reported

2024-08-15 22:58

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe

"C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2456-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2336-4-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ebf795563e53ec3972368d63b0629bf1
SHA1 05b3873b2ddf14332d97a29b587f2120beadb54b
SHA256 54116586dc0e1932d87a8cf27dd3927ce6553f2074a1fe61524dfe8a764e2fa9
SHA512 ac911e86c918258cdda14fca80034c4eed57dc0b4d6c7c5da1ced1ab5aaf8a4761a3a1c4e56600f5309d3de4a0ca275ea26910816e2b6266c2b9adceea73cab0

memory/2456-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2336-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f0818d4bcaed2d8990a4e6e67f31fb51
SHA1 70486e3515b585b8a1b740a3396ea573293735e0
SHA256 8947a46bb645a5107d1ad000ecb1b2ee3a46b0f2e314ab8ac9a5d9da10484328
SHA512 d6b7e93f780033e32f72b95ecb674231518bf461569800fe5cb144374b9424f179e4e410e447c5b2f3eb4e1077d19dbefeadd9471cdaa59cb3383c365c67468a

memory/2456-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2336-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3812-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-17-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b966eb4f311787cb5d25e5173ded39d1
SHA1 848ee7787de7b09730116795b88b944805e7b513
SHA256 b9cf03d27c4ef89dc6ad2772d37c79f654718b7e99faa7f74bdae73be6da5f9d
SHA512 623112b9ae81012710cb74c827b7414fa459026ee83fc02a20618d393536a7bc99e55ca0705e646d025abe169cb063a3b94ac4660578655cfe003ed04b228bae

memory/3812-20-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 22:56

Reported

2024-08-15 22:59

Platform

win7-20240704-en

Max time kernel

121s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2328 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2328 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2328 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2328 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2076 wrote to memory of 2948 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2076 wrote to memory of 2948 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2076 wrote to memory of 2948 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2076 wrote to memory of 2948 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe

"C:\Users\Admin\AppData\Local\Temp\6c6a372d2532a4e389e0c0e72d4eb2a0e3a87aebbabb395e8e317b4ccc75de24.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2348-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ebf795563e53ec3972368d63b0629bf1
SHA1 05b3873b2ddf14332d97a29b587f2120beadb54b
SHA256 54116586dc0e1932d87a8cf27dd3927ce6553f2074a1fe61524dfe8a764e2fa9
SHA512 ac911e86c918258cdda14fca80034c4eed57dc0b4d6c7c5da1ced1ab5aaf8a4761a3a1c4e56600f5309d3de4a0ca275ea26910816e2b6266c2b9adceea73cab0

memory/2328-10-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2348-9-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2328-12-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 47ec5b8076a04687a4bab57b5b27aa70
SHA1 79efcff01f2e7099d1651ce169c1bc0bcf3367a2
SHA256 b371c07aa84bad4a9953d9f8c6c841959a8e299b19a87a006bca1c4a119e1fb6
SHA512 fc115c1674165851e4a6d70866708027c521c1782fb1a2d7874117e0e1753b54bc922acf026714909926b3e9bffa40a84f5b705fcaaf6c25c84bf37fb977d471

memory/2328-18-0x00000000002C0000-0x00000000002EB000-memory.dmp

memory/2328-24-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 196e9a79ada7f5af68fccb05b4685a3d
SHA1 0976d7c9162f072507365bee48c2ac50e8ce0e3c
SHA256 07ba9a15c92ddfbb63528a20a893f9b716640c1133c4fa6cc8ebeadc44cd76dd
SHA512 80b856d803555e8494c1efda746f1c0a60c0943966dba49e503159cc182dbd552684d8ebad6c1dd803539677e72e3951a9fb118d9849a45fd5e96d14fa470520

memory/2948-35-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2076-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2328-37-0x00000000002C0000-0x00000000002EB000-memory.dmp

memory/2948-38-0x0000000000400000-0x000000000042B000-memory.dmp