Malware Analysis Report

2024-11-16 13:01

Sample ID 240521-y34llahb65
Target 2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f
SHA256 2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f

Threat Level: Known bad

The file 2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 20:19

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 20:19

Reported

2024-05-21 20:22

Platform

win7-20240221-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2248 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2228 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2228 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2228 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2920 wrote to memory of 1508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2920 wrote to memory of 1508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2920 wrote to memory of 1508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2920 wrote to memory of 1508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe

"C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2248-1-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 eb24d77c7764a283d1cd6357c6a4ac28
SHA1 cc646f8477008588faa49d5cad2049e2aab833fc
SHA256 d5b51fbc476a3b87ea3a52de9e9b0d6739687b71a8085aa5c15daf5389041b36
SHA512 e4dfc50aabed57a16ef6fa0f684984e6a710790956676aac93dfd29980a288524902518cc15fffff3c89a9f97e6f594759834b90a37cc50a24cffe955017d6d5

memory/2228-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2228-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2228-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2228-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2228-21-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 f81402201ab9e2de14911ae085c6ec52
SHA1 b7ee3bbf7debfb3a4d5596a2955dcf7d4668eec2
SHA256 a0f19df346a0db9f011a04fc9c3102f6196fe0c90e5c384165136bd905bd72e4
SHA512 3f97f953020dec49579431a2d57eb8e61afe9d76ab6e5ab39edb074b914a34348f6b31453242379c53701b9c0add340b86c0e760aba836efcff9da6687710895

memory/2228-24-0x0000000000330000-0x000000000035D000-memory.dmp

memory/2228-31-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c94e5e85e3df45c59cd1114dd8dc4a60
SHA1 c78b4ad4600eeb9ac819aabb040ec9ad2bf2762e
SHA256 64ed5a84f8689fce250677f4189386901bc8dbf7a23c22bca43ee701f44566f1
SHA512 02f38ad758de9ce186df9d77f2d3ae1f7c69d8c7f610f9c006ab7aa6e7fb9b52721c5a912b4370798761f8f81cfaa33681faf80fd9bbf25d688c9c5a370ba485

memory/1508-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2920-42-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1508-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1508-49-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 20:19

Reported

2024-05-21 20:22

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe

"C:\Users\Admin\AppData\Local\Temp\2abf2815d63d9da05d81ec8ea4584e847007555ed096e43777461efce6a6ae5f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 udp

Files

memory/2400-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 eb24d77c7764a283d1cd6357c6a4ac28
SHA1 cc646f8477008588faa49d5cad2049e2aab833fc
SHA256 d5b51fbc476a3b87ea3a52de9e9b0d6739687b71a8085aa5c15daf5389041b36
SHA512 e4dfc50aabed57a16ef6fa0f684984e6a710790956676aac93dfd29980a288524902518cc15fffff3c89a9f97e6f594759834b90a37cc50a24cffe955017d6d5

memory/2400-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4696-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4696-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4696-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4696-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4696-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 9ff8d071961667e76018bf817774d6f6
SHA1 3cf353f52d213cb1129cbc8f4ebf48ac79f9a88c
SHA256 c251a54fba0bb4e86ea72b25eef542895b636032d03f2cffacaa9e296bdc4b01
SHA512 79cda95b692a7aca6de92ad4fa07eb04b6df970515c3dbfe8e6b561ab8005cb5257997415f5858d2a16a5922c5d38d6aee9467b80edcf7231bffc079a8d4d4f9

memory/4696-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1468-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3dff0bb20b2be094e7c638e6d230597b
SHA1 4c6a012b947471a7c9075b6d57e699e1274e1e8a
SHA256 def54fc9fab41f3fff67c7d61ac181eda69420bbacb19dd9d3e641ef0bc86b62
SHA512 23236104d534ffce5b4df535d701fb996aa2aa3b662b7d56e1fc3ff39dd4e32b6deed37471df1538cf50126ce09bcb5318350a3178569d3e53a2e1a3cd2bf64f

memory/1468-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3688-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3688-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3688-33-0x0000000000400000-0x000000000042D000-memory.dmp