Malware Analysis Report

2024-11-16 12:59

Sample ID 240818-f7vv5syand
Target f3327a85844a5806782da40c4df8b2c0N.exe
SHA256 1a0d17f5c56f15fd79ce82e307cdea1a67eed9ade0eb32e2b632ae107bd9f6ae
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a0d17f5c56f15fd79ce82e307cdea1a67eed9ade0eb32e2b632ae107bd9f6ae

Threat Level: Known bad

The file f3327a85844a5806782da40c4df8b2c0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 05:31

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 05:31

Reported

2024-08-18 05:33

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2416 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2416 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2416 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2416 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2240 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2240 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2240 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2240 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe

"C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6c0fb199987274ba7577edf451f4b47a
SHA1 5d57527ae68656561393f0cf9c184a171bf1844e
SHA256 da5a3e2ddf7e0d03c26cc64c80c224b35a987d7f46397cde2faac87d3363763b
SHA512 bf1031fd3961948231c8007f274885b21f85a9f1050bfe9976b7737e2d90b8ed142a69ce3b5e4e56370cf61f8323426ee0cb44732d3ffd3995f2d995d648de76

C:\Windows\SysWOW64\omsecor.exe

MD5 9ad02e8fbb4238dd6c1f8aae6801866b
SHA1 02fb202c955a7701391d602997b2f3833620d13f
SHA256 f5e2ce6eb2bad4048d449b122857467ccbda902d8284a34d0fe9c604a62a1488
SHA512 b8b3eda5f15a277856e02c861448c9f4df66da2c0b8a9b71bcbc5aa23f9994af5559043ad4b77e5db79a9506a9f93082b87852ee82ff7ce6634e6bd8facf10f9

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ff67668256addb3655ac53d4fbb043dd
SHA1 07268ac2d97829d1020d7d7254a5f488c66432f8
SHA256 1e0e7797f3264eea7174265833a51037be04e03154d68f93986cb37ef7617f1e
SHA512 b2bc4718a28e52c7c05a5d55c0686c20de3aa739068c4fc56e7a6519f361c6a19a28c81fcade9bbd56d8c506d2fbdc698a6c0b49210d6641bbf1ffd251541596

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 05:31

Reported

2024-08-18 05:33

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe

"C:\Users\Admin\AppData\Local\Temp\f3327a85844a5806782da40c4df8b2c0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6c0fb199987274ba7577edf451f4b47a
SHA1 5d57527ae68656561393f0cf9c184a171bf1844e
SHA256 da5a3e2ddf7e0d03c26cc64c80c224b35a987d7f46397cde2faac87d3363763b
SHA512 bf1031fd3961948231c8007f274885b21f85a9f1050bfe9976b7737e2d90b8ed142a69ce3b5e4e56370cf61f8323426ee0cb44732d3ffd3995f2d995d648de76

C:\Windows\SysWOW64\omsecor.exe

MD5 037f69957cf604c2c4f590926c662b1b
SHA1 4d7b860ed307ffb07aafbfcea0ce803282f9f6c9
SHA256 d839ca1633d3ae95b4b022f8407b6dac6eef825df76a8f53a4443848d99a6649
SHA512 2f9acfb87c9f2cb4508c8bd808203ba683f7ece3cc0ad1d03c9230b9c37c955a15455d914718288d0aba6e2c909f27e2b98cdd682ad046f138f0b944ab64988d