Malware Analysis Report

2024-11-16 13:01

Sample ID 240520-zvcnksgh4z
Target 35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3
SHA256 35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3

Threat Level: Known bad

The file 35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

UPX dump on OEP (original entry point)

Neconyd

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 21:01

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 21:01

Reported

2024-05-20 21:04

Platform

win7-20231129-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2392 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2392 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2392 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2392 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2540 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe

"C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2220-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9996dbda95cc2519b13473f464cf6053
SHA1 fb2fbefa30bd45b5198ac728f41104fe0fe76eb8
SHA256 277a245bd3e817c17812059ab5976595cb36a251e5397f62bdc9f74ad06ec340
SHA512 2fe1fbc0166f78b49668a82edc46e1614d71eea0b528fe760e76ee4714ef366c1b28b6f4343e69af87900b587b5d102fb8a26fa6db5288277306da2ed0aa85c6

memory/2220-4-0x0000000000220000-0x000000000024D000-memory.dmp

memory/2220-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2392-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2392-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2392-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2392-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2392-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 19a8a606c019c78835237ff136ee02c0
SHA1 43cc92ac5de68cdd646025160d72c08d9ff0030b
SHA256 78ea56590b33fad33cb98838edfd18727022e1e4c53ebad8faf8f9a2e4fe5594
SHA512 bc7fa81f6d6739d4fc392f969d96304dc1e1eddad0c8be769ef31f2ac5c7f4abae962ef924f28911350aba897a5a1d3bfd3c98422c22782f06d72f1e792599d7

memory/2392-27-0x0000000000290000-0x00000000002BD000-memory.dmp

memory/2392-33-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 73b5ffd20c43aea89dd6449a9dd8b9eb
SHA1 e0fe432d967754662196381ed7fc0b74dc647b87
SHA256 9000ee52dd7f938d3b5b127ba8bc392a85fddfce5058e04aa5292cfde618c29a
SHA512 1d4e76c717c836bff66b52604216eb2a04053f610b03838461a28df2e51b19ba39585895203de240f8db122958c9c55615f462443e1b8023c353085588390e5e

memory/2540-38-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2816-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2816-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2816-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 21:01

Reported

2024-05-20 21:04

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe

"C:\Users\Admin\AppData\Local\Temp\35e853913f8cd670cfb4914e57b63c7f5c7c334e8349a8754af67dba403c3ec3.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:80 www.microsoft.com tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9996dbda95cc2519b13473f464cf6053
SHA1 fb2fbefa30bd45b5198ac728f41104fe0fe76eb8
SHA256 277a245bd3e817c17812059ab5976595cb36a251e5397f62bdc9f74ad06ec340
SHA512 2fe1fbc0166f78b49668a82edc46e1614d71eea0b528fe760e76ee4714ef366c1b28b6f4343e69af87900b587b5d102fb8a26fa6db5288277306da2ed0aa85c6

memory/3256-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2868-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3256-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3256-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3256-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3256-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 0d0c60f1d4ef21e9b4ee668bd8110abd
SHA1 9f507fb0cb7e13f7913f82700c426b886213fbb7
SHA256 9b408eb6cae6692e1ca10046003892fcce63ae8b3ccce9dfd910a0eb4d21f724
SHA512 8e71db0699539803fa61b8d64af565cc9d3ec4568529244a36b48cd846a9833b784afe3c40f2d7ac6d0a64b8b557ae33e42d7768a0e48ee51d53697ab87ad919

memory/3256-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4496-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4496-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4496-24-0x0000000000400000-0x000000000042D000-memory.dmp