Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-ygc7hsvdnn
Target c3e2e57457315508b392071b2a21d1e0N.exe
SHA256 78c32afbbaf6a20df144c02382a3c2dcfa5fa39d7f5832d307cf0cb1c2111c46
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78c32afbbaf6a20df144c02382a3c2dcfa5fa39d7f5832d307cf0cb1c2111c46

Threat Level: Known bad

The file c3e2e57457315508b392071b2a21d1e0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 19:45

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 19:45

Reported

2024-08-15 19:47

Platform

win7-20240704-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2752 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2752 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2752 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2752 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1708 wrote to memory of 1540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1708 wrote to memory of 1540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1708 wrote to memory of 1540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1708 wrote to memory of 1540 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe

"C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ea17bb1f3f9bac43c64d115bcf0bf690
SHA1 6ecd45587157f5e7b4f57600f5f1721ca3480eac
SHA256 13b9657cfdcc915ef7625b1e06ec511a2b6d5e5d5acd70e66b1b24fa55c8ff64
SHA512 fdb0736e9a6240290b736f8c4873ae9b2b6f437d5659352f97cfa7449d67737993f9b35067d8c1a131ea0139eb33fdf699b5ec7ca239bbb8b62db512efb32c30

\Windows\SysWOW64\omsecor.exe

MD5 5e7ba41294dca1e3b3dba209b11ad0f2
SHA1 cff31700cbb8a5192d7f1880f44e831c8446cc08
SHA256 86e835c862b490b04b70f74dda4e5f2b9dcc2dcedee06ced3d84c38399633693
SHA512 4e44df3e3a8ef7c560272767b994ac34fc0ccdb43540010e49a02da8c4fc7f4fb77a53dde5f9c402dbcf3db8dfbd3832640de1ed8504e939c696eec1a45ddc46

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1866b0dae7e295508ac3d7b6403beecd
SHA1 f8a0e249a644efb7ee3b5454c6c16a6ce4132588
SHA256 440e29cef8a4a244b85b72c3a69332c3040a6b1710d2976dba9e7fc11c996b0f
SHA512 bd12d3a42ee6bf2a61a5cd5caf1afd01a0c7252f96593738a419cee1e2a40a51b34e414c734877ae2565a725aee5f1f52c68e1dcb73b5e5e03ffc57ef4aa40e8

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 19:45

Reported

2024-08-15 19:47

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe

"C:\Users\Admin\AppData\Local\Temp\c3e2e57457315508b392071b2a21d1e0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 24.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ea17bb1f3f9bac43c64d115bcf0bf690
SHA1 6ecd45587157f5e7b4f57600f5f1721ca3480eac
SHA256 13b9657cfdcc915ef7625b1e06ec511a2b6d5e5d5acd70e66b1b24fa55c8ff64
SHA512 fdb0736e9a6240290b736f8c4873ae9b2b6f437d5659352f97cfa7449d67737993f9b35067d8c1a131ea0139eb33fdf699b5ec7ca239bbb8b62db512efb32c30

C:\Windows\SysWOW64\omsecor.exe

MD5 9e9b33808330dafe5c10f2c6bec2e4d2
SHA1 5b9ce8fa9712eafb77fbcbdf86762b5a9b63b742
SHA256 0932f3a5130490e51e94dfaa9bac401b8f795aa8de4a973c215c7427cd59d962
SHA512 230ffc8136bddf62ec7c75141e8e2ae6e76c9d224b2ba56b877ec23c730cf61bf7e9a0f712040b28abd66479f76dfa9ff5369784685411fa47f9839e342992cb