Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-e7mdbshc96
Target d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327
SHA256 d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327

Threat Level: Known bad

The file d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 04:35

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 04:34

Reported

2024-05-21 04:37

Platform

win7-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1248 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1248 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1248 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1248 wrote to memory of 704 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 704 wrote to memory of 864 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 704 wrote to memory of 864 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 704 wrote to memory of 864 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 704 wrote to memory of 864 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe

"C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2084-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2084-8-0x0000000000220000-0x000000000024D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6e6a43ae0a9c77a57f10e1c4942f9df6
SHA1 ce37e3431a7596d94434b03887e69de71f9f220c
SHA256 cd201a070d309289bd98ec8b7da79add7833051ab8e313fe4050519b24f9d904
SHA512 5fb2f6fec80c67d85e1502af5403fcce88499e2cd6f9f78821370e9f415298a3e36215e611876834efb1b3e4df89c2f4515cae47cf981416e25a033c6660bbed

memory/1248-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2084-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1248-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1248-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1248-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1248-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 d3682654a35cae9396585c8e7993532f
SHA1 0b37d8c991fbf475266fa22938fd577e24dd8dc4
SHA256 715f2bcc66a1f6706967b08d7d031c270812baf37248e9862d2f5b30662a7169
SHA512 d7a093e153fedb9b12c40c64bc2c1700c7cd6e63e41ae2d5566ec9240355c207d7b8fb2e2a08a6ada4ea6205c442e7157196c70b0a2d4b8bdfc98bdbe7e9ddbe

memory/1248-26-0x0000000000430000-0x000000000045D000-memory.dmp

memory/704-37-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1248-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/864-46-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1a487f2c843fb55ad44e5a17171eca1b
SHA1 bc494fde7f7f3d1a3d370c697623978c861eded7
SHA256 1c623c338df686296f98a836fdaefd15834eeb58bd5f571b341dfbf05a822912
SHA512 1bd8060b87d1be0fc75019a85442cc4ca76ec74c247cd4f58a47579b7125d45438936d62a64a50b20e44b33409d9c1e55ddcdb5411a6cdc39738b2e98da3d9ff

memory/864-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/864-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 04:34

Reported

2024-05-21 04:37

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe

"C:\Users\Admin\AppData\Local\Temp\d50fd51541134472aa199a217ba76db89a750e9c8414270e18a7b7c0900de327.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 52.111.229.48:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 udp

Files

memory/4856-1-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6e6a43ae0a9c77a57f10e1c4942f9df6
SHA1 ce37e3431a7596d94434b03887e69de71f9f220c
SHA256 cd201a070d309289bd98ec8b7da79add7833051ab8e313fe4050519b24f9d904
SHA512 5fb2f6fec80c67d85e1502af5403fcce88499e2cd6f9f78821370e9f415298a3e36215e611876834efb1b3e4df89c2f4515cae47cf981416e25a033c6660bbed

memory/4856-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3244-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3244-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3244-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3244-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3244-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 bb8aeb0cdc12491683da26e493ec9396
SHA1 c2a687b9ce57a737e57b4c063e8c04d703cbcae5
SHA256 c73ea7704ef32c88ae1b28cf837e9c2d2cb780fb718006182dc94b651b4598d7
SHA512 78877feb0379523c6e190e44f7a0ad067fb5968d86b8806d31c6c6dacfa107b54325e83de8df7b18c0d327b03f427125c2d17b476d4f8a5f98edf7183b0747b1

memory/2356-23-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3244-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e2a0a2078514cb04627374cc49be4e74
SHA1 bc7451caa9bc4d11c44dfeb6a7e7a33e487aed89
SHA256 2ae74257af98623e467a7b7610683f081d333438cdea39a62c874cbdba6df56d
SHA512 c27e393d9b01c8b16952edeef274623f0c0fb932ae0fb9fd25e0bad88153b9388b71ef1d38ae0355ba02b15a2e103ca10c0f40d015402d10a3e9f4455f286efc

memory/2088-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2088-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2088-32-0x0000000000400000-0x000000000042D000-memory.dmp