Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-lerkxaxbjg
Target e03c78ae2a96d6fccc3c37c42acfbbc0N.exe
SHA256 dcddbac07050ee051f816a72ae25240804882526850c8e2bb507d3103af75bb5
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcddbac07050ee051f816a72ae25240804882526850c8e2bb507d3103af75bb5

Threat Level: Known bad

The file e03c78ae2a96d6fccc3c37c42acfbbc0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 09:27

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 09:27

Reported

2024-08-16 09:29

Platform

win7-20240704-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2708 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2708 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2708 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1776 wrote to memory of 1808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1776 wrote to memory of 1808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1776 wrote to memory of 1808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1776 wrote to memory of 1808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe

"C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e02e8051bba0efb925dca6a1c8fe1257
SHA1 63201a56f8e3902bdc41af142acec7bfa3d3e06a
SHA256 f6334a4df39e107f3ad694f6789e0dbb9ccc89c64d524152ee98477ca389fa23
SHA512 73ec471d0629d745b74bd2abdf819a0a94d13491618ccdad4444b12b2a97e47a0edd5e567a40ce74d3cad3bc0c25892736689bdd14e44134cacccff4686cb47b

\Windows\SysWOW64\omsecor.exe

MD5 eb7284a780616bb119450645ccda9eab
SHA1 9ec4cdda8be580319c5ef7c41fdb2f8baa8e41d0
SHA256 31791b73cce06ee72b311a67a1b9df84042b60c8ce063c7bb093a522226b0bc1
SHA512 1985331a70c91607963afc01b75ddc1bb51b2be0adf6e7708c2fe892488dc09ef1f326754b909656bf90da34fd30c16fc0976949c3daa1b21254d6ca3de30ce3

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ebe305fb651c0d8a8223a51f4394877d
SHA1 df96f86b5a72dcb6a20c7567c8ac3339e0abbc39
SHA256 4c3ea3dca27acd6f57239be30ca8d9411b43f38f85cf485d7e1859075c2d5857
SHA512 8caab14031e1122b69079e525a4e53f90ef6e59cb4f574c1a8ac772cd683c1c4b43255cb4845ec11d7c17b56cdd411c9f0b7bb82e086bea6c575aa4bbdcf3ac9

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 09:27

Reported

2024-08-16 09:29

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe

"C:\Users\Admin\AppData\Local\Temp\e03c78ae2a96d6fccc3c37c42acfbbc0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e02e8051bba0efb925dca6a1c8fe1257
SHA1 63201a56f8e3902bdc41af142acec7bfa3d3e06a
SHA256 f6334a4df39e107f3ad694f6789e0dbb9ccc89c64d524152ee98477ca389fa23
SHA512 73ec471d0629d745b74bd2abdf819a0a94d13491618ccdad4444b12b2a97e47a0edd5e567a40ce74d3cad3bc0c25892736689bdd14e44134cacccff4686cb47b

C:\Windows\SysWOW64\omsecor.exe

MD5 ebb896dd14aefad89f3b79d3e40ef04d
SHA1 793e1a3838f570ce9b6a20958cebb9592c4bbff5
SHA256 3b94d8aaf2986efa611e89f7c69aebb8b497c5c69bf4e4e8eb4938e14ba33bb3
SHA512 ee9e6838021588275f91abbbdc02bdc0acc190f7724a99d3871b333ecb1a345944618633f26f791d96e4d8378c6efe616ad76339fb0f7984aa318ce6728a5125

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4e2431be28f8125aace4df746b5c247b
SHA1 28532953f53175be5e2d3c6993bfdaf6b030edc5
SHA256 301f925a5f7422f4412b9ab1d4ff1d6caa0227082c2abbcea7ddab211dfe4175
SHA512 b38a27892a1c8bd9603e5f2353da94d4d227fa444f2f25df1cbccdfd9c82c78b348cf5228407a52999b7604964ef01e7d77c2202bc2339e3f3741f7942c8831d