Malware Analysis Report

2025-08-10 21:20

Sample ID 241031-l9dbrswerb
Target 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N
SHA256 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660

Threat Level: Known bad

The file 65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 10:13

Signatures

Neconyd family

neconyd

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 10:13

Reported

2024-10-31 10:17

Platform

win7-20241010-en

Max time kernel

85s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2580 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2580 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2580 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2580 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2508 wrote to memory of 2272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2508 wrote to memory of 2272 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe

"C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 15.197.204.56:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b2efdd7070e9ca2edc770f508c705ffb
SHA1 f7fd589f8e939506f1e30b5cceebd3bbdae7002a
SHA256 e8cf27d1567cafecf427e2cca3ec6c75f21e3789248a9bacf3d2c41269456cbb
SHA512 5a8eae141727f11ed598eef7e255f4819f31b6d386cc9f2b83a816b2f971d53c45606c2bd243d397f21d0d598879b61b75fb44d2748463e971fdd3671234288f

C:\Windows\SysWOW64\omsecor.exe

MD5 2a49c87b068857d8ece66848480eef0b
SHA1 c3fe5d871ef0058e14534767fb2cf861a501a753
SHA256 08e319bec723fc8de14b82dc58a639609de57a082cf1d7334d9535eefeb4b825
SHA512 1c7d0aca6afc681073a199af8471703de1b9e679ba94597004364c42723cde1f1ebc04a5b4cd549a2ee7d4bcd82a69ed6442fc8f1c4c98745c62ffcc6e26c32b

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ece0417594aaf2f1480b46319ebe7de7
SHA1 40d70e6dd13cf4c6a7843b6a4110fac507be6c09
SHA256 6c027ec55eb76d9a35b9c4a14210277ab648f69852fb72b5084e2d850191be8c
SHA512 c9b891b696fd9d219fa77dd685893be0e23c0094f3070b5b529259f687f0e597ee632b1a2c69c55443b3d3df340d2e67265f36ba0805d314ed148d93e8bb007a

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 10:13

Reported

2024-10-31 10:19

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe

"C:\Users\Admin\AppData\Local\Temp\65e72d562626c525fe5d6619227c34ab5524a0a89526eb9df90f5d763bc0c660N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 3.33.243.145:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 145.243.33.3.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
FI 193.166.255.171:80 tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b2efdd7070e9ca2edc770f508c705ffb
SHA1 f7fd589f8e939506f1e30b5cceebd3bbdae7002a
SHA256 e8cf27d1567cafecf427e2cca3ec6c75f21e3789248a9bacf3d2c41269456cbb
SHA512 5a8eae141727f11ed598eef7e255f4819f31b6d386cc9f2b83a816b2f971d53c45606c2bd243d397f21d0d598879b61b75fb44d2748463e971fdd3671234288f

C:\Windows\SysWOW64\omsecor.exe

MD5 fcd46e504f6189094450df42a943abeb
SHA1 93527071cae2e012ce18a2ce9ac3475d5e71c07a
SHA256 f4a798a011662ec70ec3c67df78b215f6ed3343826e07d57e1f812f16c6e3bcd
SHA512 7932a601cba8f6922c3440ff032a4221a0f85fdb8624854c395797cb9043ccb0aa9b0051185df4df19835cc67e36f3e7b42410e8e01d8c89b7734c89d3f0ce4d

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 624fe7b65e496655894d615bc1ce69c3
SHA1 a544911f430103ed1ae0178e7791118570bbfcf9
SHA256 6d93dc9796783c05a712d76ea7b430c449a496236aaa745377a5d5eb26817272
SHA512 4add86cd85edcdd29301bbca27eaf0ce272a4838c7a9d2d265b9d1acc220bca8de376ff15a2b28651e37d3823c21be6462d776e04ea5e1593b6f0cf8cbad18f4