Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-ps8ccs1gnb
Target 8992e6eb0fd56c721b26387d481c3df0N.exe
SHA256 3a73e9b1c86c2e105c55766540135595d57918a0f1b0aa9cd25b190657e0e1ba
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a73e9b1c86c2e105c55766540135595d57918a0f1b0aa9cd25b190657e0e1ba

Threat Level: Known bad

The file 8992e6eb0fd56c721b26387d481c3df0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 12:36

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 12:36

Reported

2024-08-15 12:38

Platform

win7-20240704-en

Max time kernel

115s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 560 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 560 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 560 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1696 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1696 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1696 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1696 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2376 wrote to memory of 2992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2376 wrote to memory of 2992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2376 wrote to memory of 2992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2376 wrote to memory of 2992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe

"C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/560-0-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e413a512d96370a36188aef9e00e0301
SHA1 48d43cd76b087f0cde4d27f8bbf8c3eaffae0dfd
SHA256 da6b862db670af3667fbd83e5a57438e0186a41ca3aeef5fc8e8269571f9ebad
SHA512 310404879c1f2ad6c4d18ab47b123777ab188290b99b34a255c95a3bc3079bb9d222c9ecf9bf45c95aa4eea6ecdc5ee48f8623fb38380991428f09b5c1e99e8a

memory/560-9-0x0000000000220000-0x000000000024B000-memory.dmp

memory/1696-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/560-8-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1696-13-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 5b9f6ce47afb6062ec2bf02c777e2595
SHA1 0ed61dbd5a82127ddc8cfe8f6766ff849e706d4f
SHA256 bed855b4c75263fe9969b830b40a9624ebc53fa9f18c1c5ef3ed23685a77d912
SHA512 e10650194da441d3e1195f5ac9b81ce07c56bce52d5133aca9348d8bc8410dfe01323cad715c2e1f2ad058c42050a634c1e650616c985abb434021375ffc9375

memory/1696-18-0x00000000022B0000-0x00000000022DB000-memory.dmp

memory/1696-24-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2376-26-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b13958f9d0ef5298c057eb88ce394cef
SHA1 e17e429b5f94e3906556c67ddda0a5e431295c82
SHA256 3f0777675a7505f2f9f0544685b8aa76ba02737281e42d822e691db765ba8ecb
SHA512 73f1cd3632c6376852b358212fecc9e89356d3fe1a8ac69c36379f1a159fc11e44ed6fcb7360fb7e078c455e82be81c9d1c1785a4fa458b9635832a54a50c88f

memory/2376-37-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2376-35-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2992-39-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2992-40-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 12:36

Reported

2024-08-15 12:38

Platform

win10v2004-20240802-en

Max time kernel

116s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe

"C:\Users\Admin\AppData\Local\Temp\8992e6eb0fd56c721b26387d481c3df0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/556-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e413a512d96370a36188aef9e00e0301
SHA1 48d43cd76b087f0cde4d27f8bbf8c3eaffae0dfd
SHA256 da6b862db670af3667fbd83e5a57438e0186a41ca3aeef5fc8e8269571f9ebad
SHA512 310404879c1f2ad6c4d18ab47b123777ab188290b99b34a255c95a3bc3079bb9d222c9ecf9bf45c95aa4eea6ecdc5ee48f8623fb38380991428f09b5c1e99e8a

memory/828-4-0x0000000000400000-0x000000000042B000-memory.dmp

memory/556-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/828-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 4bab35a0fc89b684857d3f93111e8d4a
SHA1 c2a083e8dadfcbaa2cecbf3c17ff823ae00e23bd
SHA256 1874a816b3118bdb6c8e4ed6d902136ed508de9bebf5ddb2d3bf93974e30f3f4
SHA512 ec1500067e2e466bbfa0adea7d18390634db893af902cfc2275fd233e074d609082bc4f6f604437cf928b78bb464c0860f08140fc102d46c925870ce5e5bc224

memory/4868-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/828-13-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 faf87c5146cc57e302b16eb69d84d347
SHA1 3cb8f4bd5a8aad3d13edb69265312db60ffe5276
SHA256 01dbc9e2d36bcc852099c82c85bdc99937000ac40a8afda3a6eb1c4c33df6927
SHA512 ea9ff6077ff02fe8ec9e0aff3f4af89d73aa11cf54a143e24673b1b4aedfd66919a0ee1d5960ac0137903c2b897a4534ff6f2c98d3be933b6da467ddd29d0316

memory/4868-17-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4880-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4880-20-0x0000000000400000-0x000000000042B000-memory.dmp