Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-nn1w2ssakb
Target 5ff42997329bb240d36b3877786d8970N.exe
SHA256 bf8c000f958ecffc7527b9930deea9e84ae43ca31ad5fb8249a948654fe59786
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf8c000f958ecffc7527b9930deea9e84ae43ca31ad5fb8249a948654fe59786

Threat Level: Known bad

The file 5ff42997329bb240d36b3877786d8970N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 11:33

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 11:33

Reported

2024-08-18 11:35

Platform

win7-20240708-en

Max time kernel

92s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1344 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1344 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1344 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1344 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2392 wrote to memory of 2128 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2392 wrote to memory of 2128 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2392 wrote to memory of 2128 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2392 wrote to memory of 2128 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe

"C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ac15f7cbb36ce4d213bf65ccd3dd81f9
SHA1 9059c966cd5a981203d7b6fac9ae1cf3caff1356
SHA256 c130fe3c09576a3aa60344ef1149d09def3b0d5102acfc42f7f9e872b577dbf2
SHA512 d9fab174bab93f3d53bdbc76feb950ac3754dae300620ff6c14f63c6608604988b5e4ccd22746d634e6ce8b546d386872cc0372f6c7b58a02391768337a611b6

\Windows\SysWOW64\omsecor.exe

MD5 3289b2c68d22031bd7180f445a9af76b
SHA1 0d39e30fc149ef3e4720b7d5e069fb130c776343
SHA256 72147c06d4d30c0775c86bb91cfb9cff42e4373bae7a58142327a7afe4e8a755
SHA512 7f0d52d4b8df63850b3cd8a9f4520c663802a34ac50ae032b285fa59ed287a5bde5f568d7f22da9cb184bd38ee0366c6695396b0066ab5815ab562c5fb35859b

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d70ab27dff53f6b17cb228dac4f0f6ed
SHA1 4afcbc9740f4b5252b528c9c9d8d57a62c052852
SHA256 abee8269862df1ba06b036416abda41995adad590f61c967bed59ef8a63ab305
SHA512 c3ff8cdc9c9bfbed0acb778111029a2405bc372e62330285d07ac24d1ec951cddfede7f1a6ff91ebf4d80bcfcfb59b900f4f8813342d15f3ba48445e9d96a647

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 11:33

Reported

2024-08-18 11:35

Platform

win10v2004-20240802-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe

"C:\Users\Admin\AppData\Local\Temp\5ff42997329bb240d36b3877786d8970N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ac15f7cbb36ce4d213bf65ccd3dd81f9
SHA1 9059c966cd5a981203d7b6fac9ae1cf3caff1356
SHA256 c130fe3c09576a3aa60344ef1149d09def3b0d5102acfc42f7f9e872b577dbf2
SHA512 d9fab174bab93f3d53bdbc76feb950ac3754dae300620ff6c14f63c6608604988b5e4ccd22746d634e6ce8b546d386872cc0372f6c7b58a02391768337a611b6

C:\Windows\SysWOW64\omsecor.exe

MD5 41b80933318ba103baa94933319adecc
SHA1 9c1a330eb8ba2917a3009ac5f017165de3331cb4
SHA256 b96a6f8b33bb7778a956814ce13c797a0374523e16405a5b933d5309ac98415f
SHA512 ff928a86bd33cd83e0f01b69487cac10ebc6462079d7c30facb6ff612e6c8e923c2cc206bd18c47d5e676d52cc116a0ebc70f512bec6771ced026af56d74c01c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 355eade5dafcd0eb244d38458c1ba459
SHA1 2c0fd1dabd23c4082dd9a7259b9eb966f30fa2be
SHA256 9215066b3a6a7c02b0e26ff9b560e644d8640c556a22e8ba3fac8ae6eb03399a
SHA512 eef7763febbf5ba66933dec987b2a2eb4412cf75e76d498a1f5f4f573514ae00fb61300a391faa5f28359f5958092c5388ff50d4a6824835df319589bf66d2dc