Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-ab4khsaa68
Target 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6
SHA256 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6

Threat Level: Known bad

The file 87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 00:03

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 00:03

Reported

2024-05-20 00:05

Platform

win7-20240215-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2488 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2488 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2488 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2728 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2728 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2728 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1728 wrote to memory of 1580 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1728 wrote to memory of 1580 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1728 wrote to memory of 1580 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1728 wrote to memory of 1580 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe

"C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2488-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 994deb1e81d799d4d47c915803740300
SHA1 72dee79fe9a89e98f6ba141c17008c654fa12321
SHA256 c395622a595e063f3696dcd54738364062064264ab16b6eaa1261499f9b54b7f
SHA512 c605f6d76697620371f9c15a4f91c3ef0ee34446ef9339d20600693877b67cce6bc8f297046ff6dae5a93a7e73e0d2303090e9a5a97d8769b6704f79af602b66

memory/2488-4-0x0000000000220000-0x000000000024D000-memory.dmp

memory/2488-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2728-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2728-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2728-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2728-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2728-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 511bef9fd51d7dc999d07bb064e80462
SHA1 e5f690f24a6b9271d2d418b8be8e4376bd2f977d
SHA256 78cddb52f8b4e5f000d31526f6c5ce5fae47a9ba6a5d5cf11f5c4bd917448d5a
SHA512 4d2e0e5053dd4ef51b1aa48531394b940d8be5c4966e9ff5284a6e459fbaf089866e689e6ffc3d56b7f8f33066ddc04219afee22b2261b9581c43692e04edaa8

memory/2728-27-0x0000000000310000-0x000000000033D000-memory.dmp

memory/2728-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1728-35-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 35bf30b23ed496266a5553f8e3544cff
SHA1 1a02bc60a5f3ecec9bf16a9b73395c7166cad6e2
SHA256 717073bca80a355538098594d999a59d97d128396785b180bef0ae0fc83c0850
SHA512 0b96dd8e5be31a10625b54886bbc8d70e13233e3d30133daa80d023c48a1e8e8c4335b586eddda90dfd627e48091fdf81a769d304814fdc2af9f03dc9797c6a4

memory/1728-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1580-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1580-49-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1580-52-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 00:03

Reported

2024-05-20 00:05

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe

"C:\Users\Admin\AppData\Local\Temp\87048dfc4ab1870d98fead72302d0b86e15449a01541fb974dfc934bb0b614c6.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp

Files

memory/4316-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 994deb1e81d799d4d47c915803740300
SHA1 72dee79fe9a89e98f6ba141c17008c654fa12321
SHA256 c395622a595e063f3696dcd54738364062064264ab16b6eaa1261499f9b54b7f
SHA512 c605f6d76697620371f9c15a4f91c3ef0ee34446ef9339d20600693877b67cce6bc8f297046ff6dae5a93a7e73e0d2303090e9a5a97d8769b6704f79af602b66

memory/3808-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4316-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3808-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3808-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3808-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3808-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 7802f461b13e4a9a64fe759119a849f9
SHA1 053b0ece5e949c4ddd957d760d1ab89976c48374
SHA256 435f19707305aa62060fed394359dfcbabd70e8b356b1da79b9f73cf6c72f263
SHA512 c12b75aae6949f706824fc0ad0304f2fb16e7cfffc4a67d1cc717015f7c2f4839af82151731f5d682aaef3c364467b4b335701cf948032f4ad525a64c46771a1

memory/3808-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4384-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 831d9ca29159832cab9f6dd76d8d9311
SHA1 b186685faeab497d207a8d1f5184792983567931
SHA256 6a6156c9bf9cf6a332433afa88227f177ad59befb66d42e7a555c35f9e3f7f21
SHA512 ccc92c33d1ab5883ee80bece5c4404fc641461f2d1ad11c69379da1f3051dfcfc6127e166cccc252652e9b3e5cf9cf79943dfa69c7efa088baa6f515839af939

memory/4384-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1724-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1724-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1724-33-0x0000000000400000-0x000000000042D000-memory.dmp