Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-n9ewpswdjm
Target b2efebdd3fa287b4b4af62798c8871d0N.exe
SHA256 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0

Threat Level: Known bad

The file b2efebdd3fa287b4b4af62798c8871d0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 12:05

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 12:05

Reported

2024-08-18 12:07

Platform

win7-20240708-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2556 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2556 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2556 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2588 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2588 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 676 wrote to memory of 1836 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 676 wrote to memory of 1836 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 676 wrote to memory of 1836 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 676 wrote to memory of 1836 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe

"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 73cf383a4b12cce57cb925cf0aeb13d9
SHA1 9a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256 a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA512 5cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52

\Windows\SysWOW64\omsecor.exe

MD5 03fbbc7c6d20bdf13a61e3fcc29e1433
SHA1 773f94446e8f7279f3cb6f8c3426ddf8e009956d
SHA256 e605dcae6229436ef7ddf1371e6f664b788d790e2d38c4039ef9069738afefc0
SHA512 8cd6a5aae97129ac32ef6a4e8bd46b4ecb3795f7d3050994ffbd347c81c2751a74bc2ca3096e2caebda6c82a0a6bc5e2e350ee93ebcf2d2307531bf3ad817965

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 246dedbbb989fa8e2fa746d32df0139b
SHA1 dc1cbee75b07171b4f917d400cc691b614c3c687
SHA256 ba8adef95d9734b766329d07c1f954fb2552eb3fe8e0a6472379b207976855d9
SHA512 b9082147073496e087b1bcbcf5fc64782826bd955b421dbf4647151ddea7dd5602baa701f433772f378074912e91b81453c519bab55c7d968bfaae9329809b8e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 12:05

Reported

2024-08-18 12:07

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe

"C:\Users\Admin\AppData\Local\Temp\b2efebdd3fa287b4b4af62798c8871d0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 73cf383a4b12cce57cb925cf0aeb13d9
SHA1 9a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256 a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA512 5cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52

C:\Windows\SysWOW64\omsecor.exe

MD5 94d1643d00d0fe05e081ee5cf01ccd0c
SHA1 2bf0e89fc2f3e5695fd63c33c02411272def6e5a
SHA256 995bed93b81bae5111170e2891906fa0fee407b0ab31fb3f5320f25320b33185
SHA512 7ba429d04031f3219d517ab1f604d26a545f4197a3f8f9394ac11b66aa80fb633e36f4a63ef2e31236ada55168606960a568b9206fc88bee50251b92cb78085c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2167fbf1daa0169c53b3896c16eff387
SHA1 0004c3dfc100b79d34cf569707a5eb25d5b29c2d
SHA256 ddff2783ce00568a8468f1c236375cea698c1974613b1f895aabbdcba457560b
SHA512 24d8d52f0137008ae9290827adefa14d45550d3108473e3f9aafb4c453105f66c3b79a151813961d3ea243378b2b6712d57d087564cf3582442e297eb4857ef8