Malware Analysis Report

2024-11-16 12:58

Sample ID 240819-cq7a3aygjc
Target dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd
SHA256 dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd

Threat Level: Known bad

The file dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 02:17

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 02:17

Reported

2024-08-19 02:20

Platform

win7-20240704-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2388 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2388 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2388 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2972 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2972 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2972 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2512 wrote to memory of 2360 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2512 wrote to memory of 2360 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2512 wrote to memory of 2360 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2512 wrote to memory of 2360 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe

"C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1e82166cdb3bb51e8964be7b5a9ecb08
SHA1 cd78f196cdcd818dd456ce91817b7d8735bf9846
SHA256 d1b58bd52e3ed9b58e0243ca3d42487f91635493b7a6e430244931b129b18ea4
SHA512 532f928ee4cce9f9c5642c83aeaaae7ecf47c72a410be9ac0e00bc9948771e73a37d7f8b5f0026a1c01999724063a4ecfb54ef16714fa770db1904ce46fcffa5

memory/2388-1-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2972-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2388-9-0x0000000000220000-0x000000000024B000-memory.dmp

memory/2388-8-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 33b7445acad3ee64ff2ccbeb0ef446fa
SHA1 65dbba5219f0304b9f722e46b67a6a6df47a4d0c
SHA256 e4fb710ff7768d3e9b0b72685e24d22ddf6a649137b51dcc4065b12af8dbf987
SHA512 49c30f76c3ccec6e4297bfc77939005b1628837954a86991a029bb1128e12bb4abc380130572c582b0ff0f4cdaf42bc68edc7181adf39c7224c674419ec6333a

memory/2972-17-0x0000000000500000-0x000000000052B000-memory.dmp

memory/2972-23-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2512-29-0x00000000001B0000-0x00000000001DB000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8d4e6b576d64abefa4280c3a02643b36
SHA1 97f35d9191d73b4840747531ae9e492a380c63a8
SHA256 593ea7db3aef576a9a821416966c60504c9a9b278d1e83306d15ed591e34601f
SHA512 5a272d2f5a5551b86367b6910faa637fcfb52b193b8884cd92728d8741a2c430deeedb35f3d4a75db2821ce9b291fd1aa4b40867cdbb1e8dd47aa296f63776ea

memory/2512-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2512-37-0x00000000001B0000-0x00000000001DB000-memory.dmp

memory/2360-38-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 02:17

Reported

2024-08-19 02:20

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe

"C:\Users\Admin\AppData\Local\Temp\dc50642973a0cc8359f12509235873ce99063bb024524146dc938642db0665bd.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2936-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1e82166cdb3bb51e8964be7b5a9ecb08
SHA1 cd78f196cdcd818dd456ce91817b7d8735bf9846
SHA256 d1b58bd52e3ed9b58e0243ca3d42487f91635493b7a6e430244931b129b18ea4
SHA512 532f928ee4cce9f9c5642c83aeaaae7ecf47c72a410be9ac0e00bc9948771e73a37d7f8b5f0026a1c01999724063a4ecfb54ef16714fa770db1904ce46fcffa5

memory/2936-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3836-4-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3836-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 5bdc6086e6d00112a03533477c72d1d7
SHA1 ca78618ff79e82ce304c01414a5e44290d937ae4
SHA256 ecbff5b5ec976cf392c0f272f5a35c726529132194cc0520b96389f61d1751f8
SHA512 e2d311293aa86b57c4b5a15bb39904796454324ab2328a9f130f1da462bf4598974863f00277f5a19a1e2211077955577818d71cac43033193e331b672912d10

memory/2044-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3836-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2044-17-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9e23bd077698b6e84f1d8ee239700855
SHA1 5471fa28a62e07b897e20d69e4491688ea058c53
SHA256 6e7723a201f93efc8d3f06aef7bf1b8ed46cdb4cf17b98f772231e8cf3950daf
SHA512 4ef4a15798eee0f684579538dc3d4ed784ab8d5f305e2fc43c5a1deceb9a8a70d1aff53ef3c67a30c7bf4e408040771b0a70d8d4068bc04d1888831b37fc366a

memory/1428-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1428-20-0x0000000000400000-0x000000000042B000-memory.dmp