Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-2344xazema
Target 8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef
SHA256 8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef

Threat Level: Known bad

The file 8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 23:07

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 23:07

Reported

2024-08-18 23:09

Platform

win7-20240704-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2120 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2120 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2120 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1036 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1036 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1036 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1036 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1304 wrote to memory of 2032 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1304 wrote to memory of 2032 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1304 wrote to memory of 2032 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1304 wrote to memory of 2032 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe

"C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2120-1-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2120-8-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7d42898196a1ec95d4d0ee5cf5b4404b
SHA1 c8d54ad4938e4258f2891cc6aca33d0ab4e042a0
SHA256 820483cd845697e6950cc73974cc181cdd75ba57b1bfc4fe45ea94b1307fa422
SHA512 ab3c0616f1d21bba15bfdad90245375a8046093b26a920c9e36f6257dc60d0e8f404b4d0d3ab7f37fc1240cad87bc83de807e45cf510522573c79738d7813893

memory/1036-10-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1036-12-0x0000000000400000-0x000000000042A000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 80d58be31b5d0f684b90a0ba16861ad7
SHA1 a758ee3f1278973da43d5631d9d0d800b1b0269b
SHA256 ae0fe6cf5faf562c2150966ca2419d0e7af3f57240db8d53e478e204c49b1c9e
SHA512 50cffc1253115ea7b9f703526fd4c21c4cfdf2511859c01817e2ba896c9b24004b687a26762555c9a5cc308041ca1342999e5ade17e9077bfe7d4e8f06fce09b

memory/1036-17-0x0000000000280000-0x00000000002AA000-memory.dmp

memory/1036-23-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1304-27-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a639974ea04c32e174b32a297197b908
SHA1 d9248f783e843fd8198651f8728c84be10f984dd
SHA256 7aa5efad40373524ce281b7f06edc625f978e3280efad571bdc377722d1a488a
SHA512 01c9281cbafe4b0536225acfb6a3d19e46670189e45cf7d518818ba2d667922eac8225f584066fc781552d6ca7a78fb7233e647733ec44bcbe1aef8e2b7eb126

memory/2032-35-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2032-37-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 23:07

Reported

2024-08-18 23:09

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe

"C:\Users\Admin\AppData\Local\Temp\8831b9da4e7dd9e6c4bf3a0e1d4193957fe6046318589c71b87259126e678fef.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3264,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3884-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4132-4-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3884-6-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7d42898196a1ec95d4d0ee5cf5b4404b
SHA1 c8d54ad4938e4258f2891cc6aca33d0ab4e042a0
SHA256 820483cd845697e6950cc73974cc181cdd75ba57b1bfc4fe45ea94b1307fa422
SHA512 ab3c0616f1d21bba15bfdad90245375a8046093b26a920c9e36f6257dc60d0e8f404b4d0d3ab7f37fc1240cad87bc83de807e45cf510522573c79738d7813893

memory/4132-7-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 28c61edab89fa05569a2b18c46373299
SHA1 75f02b10a83c52fc14f4567db60a6189e4b01747
SHA256 201c83b0abf8edd643f13dc2d7002e363d3c24c267e923a730ca36b06899eccb
SHA512 fcba8e1d239f5eb687f0601e01e86190d7663b94fdb6f900eb60e8d8a9decfc947a2854f02f7a80d4a1fb6eca0b82fe941e0d3260ffe278e047b70d9c1ae0777

memory/2972-11-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4132-13-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ab71a4a98b9644ff6eec661a494600bd
SHA1 b68be8ec60b9e611d89f88ec1bb1f03fea0ec9b7
SHA256 c9d29e7d341f9b19231cbd9114449fc4c50259c04f4f5c200a1aef641614bdd4
SHA512 a078dc171f8439b5e6dc49ba7d0033b1b1a86db113ff801aac76a2af1dbc2b27e4f4dda6a0e1135a04b193b33fb1d3c33e62f2352af9941ab286ac2b4537f781

memory/2972-17-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4056-18-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4056-20-0x0000000000400000-0x000000000042A000-memory.dmp