Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-z39y2svdjc
Target 493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c
SHA256 493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c

Threat Level: Known bad

The file 493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:15

Signatures

Neconyd family

neconyd

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:15

Reported

2024-08-15 21:18

Platform

win7-20240729-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1916 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1916 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1916 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2384 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2384 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2384 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2080 wrote to memory of 2364 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2080 wrote to memory of 2364 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2080 wrote to memory of 2364 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2080 wrote to memory of 2364 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe

"C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 25dfb5ffb4b65913b693787c80019599
SHA1 48da9b32544b1aadebae70bbb88ff26b803c937a
SHA256 0e283f4b9a92ab14dfd2140e810ba8182611071df34db134ff1d85f55d95e8be
SHA512 5cbe30bc1d148233a8b5936370e91546501969e01cebd65d810a00238e5bec685828da8544fdfb1c8a2cbf3cb322cce311624d073291bb21ce56c28083342eb5

\Windows\SysWOW64\omsecor.exe

MD5 51ff2494486dcbe4754a65adf1258e4e
SHA1 bbfafd173d72651b0dd1b570ea43377661b5dcad
SHA256 219acb486dc9d6e369872cc6f6ebc75f53aaf9012b9ee54d4e1f400e55e2aaab
SHA512 f8184b726b752646738db48b056495d419f7d1ac9b7b2f9643ce5b7c41ffaf98721897f2a9b6c1bfc4e38d5b8a50b75e7c2688f184f9e96197c73ee5f0323fbe

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dc88d6640584927ebe2b90018c6bac06
SHA1 e1ab575e40a00b6525db1f3f8f1e4eec465aed7c
SHA256 b6d53e578ab0f48f2551e33a876a094e8e2f31ae14d532b25a87abbd56cd8112
SHA512 533ec621de81ea029c7fbdfeaaf4e226d0a884abfa7bb4a8426f3c704a58dd7ca24e9b2386e91fe566bd72fe655e6fb088611b4de5dc432826415e1ed81be78e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:15

Reported

2024-08-15 21:18

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe

"C:\Users\Admin\AppData\Local\Temp\493d37c04bbf60afc12cd82ff09ed3b4b7f9ee60564ea73a17b270bf5ea9536c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 25dfb5ffb4b65913b693787c80019599
SHA1 48da9b32544b1aadebae70bbb88ff26b803c937a
SHA256 0e283f4b9a92ab14dfd2140e810ba8182611071df34db134ff1d85f55d95e8be
SHA512 5cbe30bc1d148233a8b5936370e91546501969e01cebd65d810a00238e5bec685828da8544fdfb1c8a2cbf3cb322cce311624d073291bb21ce56c28083342eb5

C:\Windows\SysWOW64\omsecor.exe

MD5 5ed7717bc67af3786ee1973353e2d91b
SHA1 46593af3e8b1ef48dbb635d03cf83dd5a97972cd
SHA256 8541bdee6c5293cbe16ee8a143d25081ce1c2c7858007e8346accc9e06f6ba99
SHA512 45b49681a8c6d1455ca3e8cb2fdf5677ccb497bd0a011540c510dbe589864e7ff866a030f78756957338876a70bfcf44492011a04335ced5d951f61b6c0ded83

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c18d17fb5479d3954a794d572a34a64e
SHA1 bb9f8570958d24dad2588962953901e0102b0034
SHA256 bc47281bed4a69ef7f10dea81d916837f366d233b5d0746b2da75db97a0bd0aa
SHA512 df33f5e67521d82936e3362fa9165a80b2a03d0bf8eb277228b27f585b1da0148143ba3a2cf809c9d4390dd843e282964a3a68862d166202d876a4e906b07d26