Malware Analysis Report

2024-11-16 12:58

Sample ID 240817-mjanma1bmg
Target 148d628a2787b67e88dfbcf1d8a3f750N.exe
SHA256 99d32a4585a929a8072a4b0677ad371414c5322cbdd4bb0162b986e61c935c87
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99d32a4585a929a8072a4b0677ad371414c5322cbdd4bb0162b986e61c935c87

Threat Level: Known bad

The file 148d628a2787b67e88dfbcf1d8a3f750N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 10:29

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 10:29

Reported

2024-08-17 10:31

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 644 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1808 wrote to memory of 644 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1808 wrote to memory of 644 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1808 wrote to memory of 644 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 644 wrote to memory of 1184 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 644 wrote to memory of 1184 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 644 wrote to memory of 1184 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 644 wrote to memory of 1184 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe

"C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 085d3911db95d1ee858b90a8d9057b7e
SHA1 f405ebee5626577bac41cbdc9a62996fff22433b
SHA256 590cd998102f8d0676d7ceba4cded30a55f351f2c1474919933493daa40a8f74
SHA512 76406e6c1e9a97f19516b3e5e82894177ef0fb05c6abc70dcda44f0bdacf45410d793cf85a0da618ff0bd9a088b06195f6e5e6ace08eb87ebe85d448f73f3854

memory/1808-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2348-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2348-9-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2348-8-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2348-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1808-14-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 53d9fd1f15ae33abb1ebf99d3219ad0e
SHA1 5a16256d668aa034efe31f7bd36f2797b8d73414
SHA256 4dae55c91c2369da69899d1aede63bcf934ffa37c309ca62c7c238c2656e3f77
SHA512 d8a971ed5d3b20ada8eeac26d628b699f100ca0a63badace702df8f5099c1163a37af185d1d83379ec0ede5968ea4ace91bd9f6bc12847970bb5aa42aaaf90fc

memory/644-26-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1808-24-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5fb26513945b35c6ce2d5eebfb927802
SHA1 a0c1fc9cd2168a99927639d92d346b08fd9c7880
SHA256 e602e25c73ccf5afd8c9ff40e6a9f858b2765c89d07ad8af29e483ec28523ca3
SHA512 60647a9171da93474db7951fae088ddd067416bfdb3973efeeb036012da58a753f8a4965243bc33d9fc0ad168857abc392ddeb2fd77b9eae7840079f349dc4aa

memory/644-30-0x0000000000220000-0x000000000024B000-memory.dmp

memory/644-36-0x0000000000220000-0x000000000024B000-memory.dmp

memory/1184-40-0x0000000000400000-0x000000000042B000-memory.dmp

memory/644-38-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1184-41-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 10:29

Reported

2024-08-17 10:31

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe

"C:\Users\Admin\AppData\Local\Temp\148d628a2787b67e88dfbcf1d8a3f750N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/3652-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 085d3911db95d1ee858b90a8d9057b7e
SHA1 f405ebee5626577bac41cbdc9a62996fff22433b
SHA256 590cd998102f8d0676d7ceba4cded30a55f351f2c1474919933493daa40a8f74
SHA512 76406e6c1e9a97f19516b3e5e82894177ef0fb05c6abc70dcda44f0bdacf45410d793cf85a0da618ff0bd9a088b06195f6e5e6ace08eb87ebe85d448f73f3854

memory/4772-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3652-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4772-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 35e7c900608f3bd1262f4ec9ce6d04c6
SHA1 4d7d58f8d157e7cd1d6af943bb0cad9037eccf33
SHA256 d08325128b7af61e3f9278e25881b5ea470536c43af02601c09c347974d387c3
SHA512 3971bed96492e3d21c24efd33c87fc736fbc9ef76f71d583b5b93566178f1b6f338638efbc8edfaafb482df99870be2bfb2ac224e589e72868595f726399d058

memory/4316-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4772-12-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 da64ec3464133e57a63734df07fb4630
SHA1 da9d6c4d46ae2ee835e181df8b515b06e9c47974
SHA256 bd8bcf3baf88f3ea988525b69472d95843398fd1b3ce5bd607fdc75a32cfa729
SHA512 b4ede67d487cc0984276b3486c0b68640ead9e210b5cb90d37627d48140d69a8a0b87bfc08392a494bae033946630db9f4533282ff9bc1778dd4ef052d5f5192

memory/4316-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2188-17-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2188-20-0x0000000000400000-0x000000000042B000-memory.dmp