Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-3km84sdc9s
Target 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe
SHA256 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2

Threat Level: Known bad

The file 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 23:34

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 23:34

Reported

2024-05-22 23:37

Platform

win7-20240220-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1740 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1740 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1740 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2344 wrote to memory of 2388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2344 wrote to memory of 2388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2344 wrote to memory of 2388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2344 wrote to memory of 2388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe

"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1740-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aa0e450021dfba3816c1a7ffd49778f1
SHA1 0f89d7867dda58b71d655e6742dcbceb624f2f97
SHA256 251b86da5a2b3f77c16022d2cb2db5ce2744a4878c5c5e5c672eb8cc13512112
SHA512 7909175c217c6f165953f2a0ddeddf680d37f040893f3a22db237a36bfb572784a81a599d66d9e9e6f448f8aaa8c6251a7f73aa142f2d6bf66b3826bd752cecb

memory/1740-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1800-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1800-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1800-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1800-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1800-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 977a898b28b95ff324e407822597bdf9
SHA1 127f3a09bce71cd6c23fa1637ed186a751f25f26
SHA256 dcdec63f18f0a984d847ef1b8932d8254cbd9abae4d8a0667a569249eaf8ff17
SHA512 77ac870977091ff76cde1c7e6774373ae96b3770d76d47c5e21581ebcbb946566c10414ce2c2e2a8982701ec5194dd1a0f69ed5a9180185020c2ace06cfb505e

memory/1800-25-0x0000000000290000-0x00000000002BD000-memory.dmp

memory/1800-32-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2344-36-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2344-39-0x00000000003C0000-0x00000000003ED000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1568b913a6c759401b3cba106ba05a93
SHA1 f5d325f5d30d673a158d3113ac47ec51b00271c6
SHA256 5d3b63fe847c6204a27a495e1cd96b8bd666423ac476c9c3be118e3a9942708f
SHA512 5d8758a895453034bb0a3df48c3e4e714114da22283241284f2b275ca3e721a3a78fc64925a939ab46728d9d33a622a2eb8818789828d041e418973fa8fba7cc

memory/2388-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2388-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2388-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 23:34

Reported

2024-05-22 23:37

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe

"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/560-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aa0e450021dfba3816c1a7ffd49778f1
SHA1 0f89d7867dda58b71d655e6742dcbceb624f2f97
SHA256 251b86da5a2b3f77c16022d2cb2db5ce2744a4878c5c5e5c672eb8cc13512112
SHA512 7909175c217c6f165953f2a0ddeddf680d37f040893f3a22db237a36bfb572784a81a599d66d9e9e6f448f8aaa8c6251a7f73aa142f2d6bf66b3826bd752cecb

memory/560-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3196-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3196-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3196-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3196-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3196-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 5bab926e2386721cb1f24c8d3ff290e1
SHA1 30e9795f8628cbb9d7378251289112ff6b9b1361
SHA256 ef7d7721fbd2c9df351b4f30f414343a05aa0f025898203d4229a0634429def0
SHA512 8766f446bd03b899071cfa78ed510da21417b99d58947e3ca2a3067133d6558cdac1a4f3425a1d6fdf7bc80953ca3e834bbe86d66ed772e190a83be1af6c23ff

memory/4412-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3196-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4412-23-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4412-26-0x0000000000400000-0x000000000042D000-memory.dmp