Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-xmtk1svbrl
Target ea17bb1f3f9bac43c64d115bcf0bf690N.exe
SHA256 13b9657cfdcc915ef7625b1e06ec511a2b6d5e5d5acd70e66b1b24fa55c8ff64
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13b9657cfdcc915ef7625b1e06ec511a2b6d5e5d5acd70e66b1b24fa55c8ff64

Threat Level: Known bad

The file ea17bb1f3f9bac43c64d115bcf0bf690N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 18:58

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 18:58

Reported

2024-08-16 19:00

Platform

win7-20240704-en

Max time kernel

115s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2040 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2040 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2040 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2040 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 3036 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 3036 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 3036 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 3036 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe

"C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0ccdf9a9fde38b520e85afb58b9abd33
SHA1 cb529f30f43828ef613c3fe96d1c022d1fbd54c9
SHA256 c12b3b05e7a445d147adf85b72dedbce794d8ca068cc8e85ecc39faa4a232de7
SHA512 b44352a9580b3cdc07a307f83175b72a199ee61347435f1d04042fec846a3b614f8f8625a45352efa5a3ae423f3f4adcd2fc5df49ac97e30b806c3ba5765f0dc

\Windows\SysWOW64\omsecor.exe

MD5 e306cc64810b2801785fc89288354c7e
SHA1 af7a8e11d32b678590be1581e9bd58d0457de5fa
SHA256 794c9762746272a26124efa609cf8867679340d904d6ef9d8a25f7ad7869a077
SHA512 af9246752ca4eaf8de317dd18ddf603a667e2a57b553b840fb5864a94bcac55b4eca9213d97ce3aae60560f46e45d52753afaad972abd968df7f29473ef6775d

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1a3e5f41d28dd28cc513828105aa145a
SHA1 d1d56f932c43ec83f64cb1ea49a5607839e291ea
SHA256 bd58fb5435c46e5867b0ae1935bb0e1388b759d6ce76c4d1ddb13892d1e2bed8
SHA512 619975e508120112f0a946cf34247c227991443849396ecb67d254b95eb55137de2a6d99c33f88b092fee7b640a5fbe158d6d4f282e959342c4ba30ab7377777

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 18:58

Reported

2024-08-16 19:00

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe

"C:\Users\Admin\AppData\Local\Temp\ea17bb1f3f9bac43c64d115bcf0bf690N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0ccdf9a9fde38b520e85afb58b9abd33
SHA1 cb529f30f43828ef613c3fe96d1c022d1fbd54c9
SHA256 c12b3b05e7a445d147adf85b72dedbce794d8ca068cc8e85ecc39faa4a232de7
SHA512 b44352a9580b3cdc07a307f83175b72a199ee61347435f1d04042fec846a3b614f8f8625a45352efa5a3ae423f3f4adcd2fc5df49ac97e30b806c3ba5765f0dc

C:\Windows\SysWOW64\omsecor.exe

MD5 579d9e3e25c7398ec26f70a7245bb85f
SHA1 d46abea89e988bee7985b8869885a8294dfcf677
SHA256 6093f8a6a56cb6b3f4583bfe7e7493dacd60ef448326255d42431fba1c10f5ea
SHA512 b7ae4232e2648e60dd624e5116b373c1a47e63cbef787c0d857d361313c7e6e3a7a335a2059a827df03db5b5c3a3cfc73d878cce6874bff7a143321863b5cd14

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 71176f26e28a6541c75a38469028e4d1
SHA1 d157fb39afbeb9ba659a02192cc76436bc813e0d
SHA256 ec215fad15937415a87cadf5323b136410bfa728a82b1579f3dc91380487cbdc
SHA512 de97ad51036479d9cb6591daf86f9f909e43d6f610ad5c8479ef8e8158cecf36f319d3f3108408cb337cba2b26f88b5bfe4ca49eb4ae9b27cfa267a432ff7034