Malware Analysis Report

2024-11-16 13:01

Sample ID 240521-w1yw8aea48
Target 0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003
SHA256 0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003

Threat Level: Known bad

The file 0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 18:23

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 18:23

Reported

2024-05-21 18:26

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2132 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2132 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2132 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2060 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2060 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2060 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2060 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2492 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2492 wrote to memory of 1932 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe

"C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 50171cf6ef9e0a075883e4d4d5230285
SHA1 c6beba15d7d829955d455644fa73fd6e78663fc4
SHA256 c3ff384a46a38601bd622ab7595a5c30616ec325def68dd38aa613ba34fca84e
SHA512 a1e30a103f1e828f49276fbf5939fe4db0aa571f5a0dc068954e9129207461b3090ca77481d3acb271e49ba8e8878b28b98a53a8c27634798b445f59ab73bb1f

memory/2132-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2060-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2060-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2060-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2060-21-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 cb2890ba640cbd7c83e97868694d8ea3
SHA1 e7e54c5040dc2b534e110c9a4878032e98be23b1
SHA256 d7dfa4d0901a3f8697a8eb624ac97055ec42d6d41d9d80daf6ec0a3ce18086bb
SHA512 073b5e92c16516e7b7fad2c51f12e84dabf7342003e834255a9a1ca5f08773a3462553e36a02e54cde226de53c9feb1458627e208c77d0a2e2bef159fce5660e

memory/2060-24-0x0000000000380000-0x00000000003AD000-memory.dmp

memory/2060-32-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 efd61ec81e9de541b6f9b47045b1b62a
SHA1 a048e2ef359604db741f3a3886fb1a9d8f8a61a0
SHA256 c1f3245bb14e17d5756341a0472bd275db9a0f876f0413d230734df8fc743cc7
SHA512 16ee337d488fda39078e54267181c1277ff0d94454ec02cc33f5cbdba7d6d119885924d19b84067029ccb8fcfd90eedf4ea97c38b58688f3effe6e1b4f84b814

memory/1932-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2492-42-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1932-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1932-49-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 18:23

Reported

2024-05-21 18:26

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe

"C:\Users\Admin\AppData\Local\Temp\0856883ab9d9231d48b22b6858e33650346ce2b3ede1568550c49edc80873003.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 50171cf6ef9e0a075883e4d4d5230285
SHA1 c6beba15d7d829955d455644fa73fd6e78663fc4
SHA256 c3ff384a46a38601bd622ab7595a5c30616ec325def68dd38aa613ba34fca84e
SHA512 a1e30a103f1e828f49276fbf5939fe4db0aa571f5a0dc068954e9129207461b3090ca77481d3acb271e49ba8e8878b28b98a53a8c27634798b445f59ab73bb1f

memory/5036-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2324-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5036-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2324-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2324-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2324-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2324-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f0dc96017a7ec625ba98a6aea688d543
SHA1 589d36b95d205f8da10530c7a868e07f60a8a30e
SHA256 97bf4fefbae384b2e01da0b4d01683bd1a1bdcda89cea58acb58288943922577
SHA512 9b341a0af3a2e550e54138eb1e84c1bb7ffb0cf221bd329864323a02821429fad7cac4032a52e1b49611e5f043725990a22d20f237bfd99e32220982e9643b27

memory/2324-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1148-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d54487a91a8948c78a5bfdf7da0901fa
SHA1 9dca5cfce47b70274941faf45d892287047be5a9
SHA256 591fcdba9a6bd941ed3bab855accc8fac2f4c737019dd6c974d09aec7eef7caf
SHA512 d8c64c5d19dfb10576a9dab770a8367d0c172c8709f7e8134439bfadfe08e7712d17dccda7b5cc47c75db7326102c64c35f64c6f2b9ff7a4ed5a43f9956cb107

memory/2404-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1148-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2404-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2404-33-0x0000000000400000-0x000000000042D000-memory.dmp