Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-pcrdxatbkb
Target 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
SHA256 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0

Threat Level: Known bad

The file 39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0 was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 12:11

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 12:11

Reported

2024-08-18 12:13

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe

"C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
IE 52.111.236.23:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 73cf383a4b12cce57cb925cf0aeb13d9
SHA1 9a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256 a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA512 5cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52

C:\Windows\SysWOW64\omsecor.exe

MD5 501b5251cc5759732eb66dbf33328068
SHA1 e866bee10842ed4d39c6bbab2cfaeb39044624e6
SHA256 414851da10e9f8b098f3a6d8b0eb10da978fbd8864eb0d252b01595989756384
SHA512 82ef31d69fa64526184b413e0423304d8c095ee0d9e5a823868379ecdd543d0817542e672f3ae7e267116ce2944e3ee89714ddcc30cf951033350354f1de453f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5f31f8cc2476e2899710a00bc6bfa76c
SHA1 3adc2f226fc43eb71aa052211b12463593d6f63d
SHA256 a872c8dbb06fe2f1c0ba3ee1f94e7e6e47340539d8a62f7416332c3433f22222
SHA512 01f0309fe67bb1ee33134e84ab2b41f15c2364d3747b5a5fdfbbaef039a136022b0f878560308777a8ef1c4c004cc159d202c7ff05cb747ea96bed2e089f8e44

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 12:11

Reported

2024-08-18 12:13

Platform

win7-20240705-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2672 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2672 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2672 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1280 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1280 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1280 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1280 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1164 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1164 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1164 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1164 wrote to memory of 1672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe

"C:\Users\Admin\AppData\Local\Temp\39909848cec82953263eca035063ea42b2aa73bd49cc8d0117f1281817d712a0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 73cf383a4b12cce57cb925cf0aeb13d9
SHA1 9a65ea5d1dbe859bfa5bc7bb6fc40be048453abf
SHA256 a02226331110406f482f591ba82177cf3e6fae33dcaf0b118d122fbab8a57b33
SHA512 5cdab2006a7d55f3b35e8dff431be8a37b5469f12c095a78e573d87944f42af674ad60435c4f0a53913e7634eee3bb835866d901cf6c74c11cf5431e49447c52

\Windows\SysWOW64\omsecor.exe

MD5 7c5a620d2a6158c69a1b9ad80579af17
SHA1 17e6c78343af5c471db0b64882f57545ffd4b7cf
SHA256 31cae2da6106a8eb1e7ea565ac60647b7715bbdb669ad096b8a0774e7759442e
SHA512 4c20c2c2e9a1ad083f46fdd53de645bc48bc5e195df9e926b5e75a5abe464ec306abe4071bdc648355385f855735c69f2ab178fc67c5d5ac08a2c988c0c79d41

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d2e40d53cfc4ba1e53af79357a9e2062
SHA1 8a68c9db55ae554d7847c9c9900b2459ddbf049d
SHA256 6ed71c0acbd23364031d370d817db92df96e19b3e3a47600a6e5fb376214d625
SHA512 44713e3e8b45049b141515ef4a037565b39374166895444caf113adf21f5decb955808ec6d75292c02b8a7f19e58ba8a5582ae8a9a00d0f9592fc2df0f14f1c2