Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-lr3tps1bkn
Target d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe
SHA256 103f4cfa3888101d4645b6e1ea0ca647668598f58be628a797e1406d76359dd6
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

103f4cfa3888101d4645b6e1ea0ca647668598f58be628a797e1406d76359dd6

Threat Level: Known bad

The file d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 09:46

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 09:46

Reported

2024-08-18 09:48

Platform

win7-20240704-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2816 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2744 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2744 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2744 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2744 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2900 wrote to memory of 2412 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2900 wrote to memory of 2412 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2900 wrote to memory of 2412 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2900 wrote to memory of 2412 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe

"C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1db297ad35dd61a0931fa4015fec1264
SHA1 2396d371da5776ab6823df870fb87c6bbfb08961
SHA256 a5d249d01913b3ad6541f11c0a5f83d1ed3e9b856f2f2acd1ec0d8938ea3df49
SHA512 4358ab2934ba720f835bfd99049c5ac915eda6b8c08209a8930a27388147d263fbe0b802377af06e49d12522dd5b1927a57500cda6ab800fc7bb660488fe2af6

memory/2744-9-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2816-7-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2744-11-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 09bfb36775d4ccadb48274e78f5d1696
SHA1 8dc86dddb9da47de4e3bf9afaa1bcb791da2ae87
SHA256 d5667f4f3c3a2b07c926a4d35aee8a07598589d09368a6245e60a235a698bf00
SHA512 cc299178598276ae37eaf2f4f966407cec9a11680dc7bd79b5efbbbec196d5aa32a89096a9dce5fb189b0e7be9d5ddb8e6bcc75aa9a99794e1990b9221a1d7d9

memory/2744-16-0x0000000000290000-0x00000000002BB000-memory.dmp

memory/2744-22-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e4723eda011bc544178aea66af7c90fa
SHA1 6936f353050f60ff313ecc554d1ce39fe211b70e
SHA256 2cd0424869e50d2cd51ec291286e825fe5deb2f6654b57e94d0755224f0844bc
SHA512 80cc0892ea7268f8d0f8738732a35042645a138ba003e167e47bf33bb167c91b9eca8aba41e161a22e6b778c12a467970f381debc09fd52334dcf0cccd7919bc

memory/2900-33-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2900-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2900-32-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2412-37-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 09:46

Reported

2024-08-18 09:48

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe

"C:\Users\Admin\AppData\Local\Temp\d5caadd3a36bbd871cfe9e4ad81bbfe0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4664-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1db297ad35dd61a0931fa4015fec1264
SHA1 2396d371da5776ab6823df870fb87c6bbfb08961
SHA256 a5d249d01913b3ad6541f11c0a5f83d1ed3e9b856f2f2acd1ec0d8938ea3df49
SHA512 4358ab2934ba720f835bfd99049c5ac915eda6b8c08209a8930a27388147d263fbe0b802377af06e49d12522dd5b1927a57500cda6ab800fc7bb660488fe2af6

memory/3028-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4664-5-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3028-7-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4556-11-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f9a0a2a5ac809a3fb667abbafbcbbb08
SHA1 0ce9c4b64a2a758a32c9a3be737aaeb95cb27c6a
SHA256 e5ddf9f957a43443bc0ac388ed97baa09cbdd6a27b6828f0bc667e1ef2e0e819
SHA512 6a866668336d62417eb8b174c1d9014d7338508676c968b7f760d113ac91e43e1c2ce91a21eb7d7d9f8558e76a2591b963c3e22185753b7dac88935568a76bc0

memory/3028-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4556-14-0x0000000000400000-0x000000000042B000-memory.dmp