Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-zps4datdph
Target 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78
SHA256 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78

Threat Level: Known bad

The file 4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78 was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 20:53

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 20:53

Reported

2024-08-18 20:56

Platform

win7-20240729-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2204 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2204 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2204 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2204 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe

"C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3dfc86b2441840dc62ce2a529fd73aea
SHA1 94966d2741dafc71c66f8f39e625b927d273e28c
SHA256 1b00585a46d14e683b1ff21d5659e2dce15e1e674bd9796d5483a7617fbc15ae
SHA512 00cac720a7929b66a4a1bbd452f879d2ed174c981cbec7867a33fe173555463f625981985dd34b82a4e595ea3e71a8e9b2b9cab1635144c21b335e4baf47de20

\Windows\SysWOW64\omsecor.exe

MD5 ca9f3f63b3b18002a09115c908386c45
SHA1 34032a24baea978acdaaa23dffba12b67d5a3867
SHA256 af928bfb2ded61111523c319a3a3fdcf2646fc6931af73b7b5cc4e40d40cef4d
SHA512 af1c343edbe93136608d06833d5e1ef8ccc6c5b17159468ee73cbb29e4d465b861468e5cb807f4a11856cf6b3c928f2e0bfb228daade9f276f5f771f1bbcf770

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e4b11e0a69a8642dd400a3a9a02567d8
SHA1 35b9921187c0b0fb0395494f2dd1734841a3c4e4
SHA256 47ad84dbe82c4d194310c7f1e5a8fddf640be0b3e244ecc9de3c926e60ef8c1c
SHA512 e9aec412aaeaa00be2b1305aa2fe816266f85557ecfe206f7c070b9af2804c37a298c12ef472506a8526221b9139e24b7f3fae9c31b5e199abe214db7c33ca4e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 20:53

Reported

2024-08-18 20:56

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe

"C:\Users\Admin\AppData\Local\Temp\4a1c0dcabe85901f36b7b6fbbb1d1d988f47e9344e2cf126706a8db7eaeecf78.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3dfc86b2441840dc62ce2a529fd73aea
SHA1 94966d2741dafc71c66f8f39e625b927d273e28c
SHA256 1b00585a46d14e683b1ff21d5659e2dce15e1e674bd9796d5483a7617fbc15ae
SHA512 00cac720a7929b66a4a1bbd452f879d2ed174c981cbec7867a33fe173555463f625981985dd34b82a4e595ea3e71a8e9b2b9cab1635144c21b335e4baf47de20

C:\Windows\SysWOW64\omsecor.exe

MD5 50a2ccde3656cb7139d585beb333cb40
SHA1 2d93911701ed79319c24ac7af57f7be0f8e5a8bb
SHA256 31db88859c37cf65d13b2349e09b0ac67b186316c036fa660608dbc6a4c87442
SHA512 646fcdea9a220ff0cc453c2ac84260ae26ebd735bdb2a2345a5331d73e6a7ab72959067caa5048481ac3fa7ab9fcf8b3158a8aeffadc3b42332d8aeaa24f1d53

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ee89eb2b96b860d3166fb7be176cf7b4
SHA1 ce3dc413303d4c2c035a22b5b9d51eefe4f64a5b
SHA256 31efd5431dfd5fdeab331d79a8271d22b68fb2e964aff1571b9096c6a7951c77
SHA512 a696d4d29aa78d384ec92aaac6bf8c0ba9bbff234e5df39cea8487bf50e88e4141fe0377ceb81d3041ea20999407aa76a0b146b266ff11bab33d8e558d160a34