Malware Analysis Report

2025-05-06 00:51

Sample ID 241109-y9j6ja1hle
Target 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN
SHA256 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191e
Tags
neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191e

Threat Level: Known bad

The file 6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:29

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:29

Reported

2024-11-09 20:31

Platform

win7-20240903-en

Max time kernel

114s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2408 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2408 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2408 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2104 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2104 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2104 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2104 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2224 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2224 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2224 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2224 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe

"C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 3.33.243.145:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 742f951e0d4649cfc7eeeaa0714c45db
SHA1 705766e428dd9857cca007341208fcbe4de97406
SHA256 36e8e9c06ec343c394c74b02424bed471f506d9890c61f00b0bd914f6f36369c
SHA512 af75ac7c4fdf36d8fc5b7fe74985e60274d34210e936a72ae5ff70b9be8beb6bc1eb1fecda0f54a8b5bfb99e7989f16e4035ade220245d2e7b554d8972dd9302

\Windows\SysWOW64\omsecor.exe

MD5 3bde8b0b4241659ae0409ab65892c69a
SHA1 d1d7ec3aa4f106ba3388d5b1b428d676855bb154
SHA256 ac9615b4ba6cccf7cb97d42053300aa53761f4d29b1723c05a559aad91f83a7d
SHA512 507b6819f556a19c7184d409bddeeb0a8bcfc2c93863cbc379911bf164bb15af475c9488f46c19263d22d6caf30161b260328c1ba47729ec60be3711eadcc628

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bc39a6d0fc4d805af6d57329e7e9f3e1
SHA1 d3af67bdf4920abc78801a6aa45716996770e010
SHA256 33ad5b64575f9d8b13f79ccefacd86687150d18ef11f0b9403667f9edbdfa063
SHA512 ce5451f5693e8716afb3a875083b5efd62d87f548797228bd798a085c752cbc12594d5f4ff685bb00b6d7b8a6ebcf82442046168ebc37ae15332eed0cdea1530

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:29

Reported

2024-11-09 20:31

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"

Signatures

Neconyd

trojan neconyd

Neconyd family

neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe

"C:\Users\Admin\AppData\Local\Temp\6388b367bc7dfabf9ed4651954a36ef4c9b439ace0698a1db26b467f57b8191eN.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 3.33.243.145:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 145.243.33.3.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 742f951e0d4649cfc7eeeaa0714c45db
SHA1 705766e428dd9857cca007341208fcbe4de97406
SHA256 36e8e9c06ec343c394c74b02424bed471f506d9890c61f00b0bd914f6f36369c
SHA512 af75ac7c4fdf36d8fc5b7fe74985e60274d34210e936a72ae5ff70b9be8beb6bc1eb1fecda0f54a8b5bfb99e7989f16e4035ade220245d2e7b554d8972dd9302

C:\Windows\SysWOW64\omsecor.exe

MD5 74b04dd7cd457509b84aab0bcc1fb37f
SHA1 f045ff0b91a6a5f58c2831d2643d22a6328e4a5a
SHA256 b867266c03a7cf0ace295dc90136467601f42a6aea42fe6b9dd7d5c92e1e1b5b
SHA512 6b499607fd2453a2ebf315e6fdb9f2711277c4a1b80eda9135173604620d6427cd47658e0d5a76f9c34263f99b1b6f18d468b3f50dd2300e16bb2380b9b65e08

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bb8775c5de7533b0643f51759a4fdc3f
SHA1 ec9bc76c3ddea21aa4b360233c4319eed87c787e
SHA256 42b16fe6fd50031dfb46cd6e85e30c36dafa0ca1a6706642e9f96facaddfbbf4
SHA512 5239a539869dc2319c80932b3e157fd2b082f94297fe83e0acb772e925bdf5beeb0fed95ea00bf2a2e60b0f3ecc06f894a998f926a396ce5a3baf31b36802e3a