Malware Analysis Report

2024-11-16 12:59

Sample ID 240522-mpv7hsca76
Target f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0
SHA256 f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0

Threat Level: Known bad

The file f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

UPX dump on OEP (original entry point)

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 10:38

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 10:38

Reported

2024-05-22 10:41

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe

"C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/624-1-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e241a9db239fac57bd19e627fe58c651
SHA1 b37d9cb4100b1f70d213e08065d349c1a5b6583a
SHA256 880a5187c51c24a662cc753c13099fd6fd41a86f8882557e1f9fafaac3cfcecc
SHA512 3efc12c206aa91ae580cd666c6b2c7e92812d182d6a4c61c1cd4dd5fa1d39416102d65c359c85048dccc11348dc3a4b80767169538ce2f67742f6667f9dad00a

memory/228-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/228-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/228-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/228-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/228-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 412a62272d5c2dc50dc7befd3a46202d
SHA1 e6a8d71f73645216b79073ff4a0d908884a6351b
SHA256 d0af502571609d6dab490cfb88a8d0fe6f551c2258039381588a745c9c1415be
SHA512 369a6f5a2e89d3d55a3a6c7210e6cde5c8e4182a2da8f5be0334d1d95f683395a7279a92caa2c561d7a732afffbb8f402dd91108486bc2234bcb8fed18ed665c

memory/228-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4404-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 584670527f5f91f0f933e002463f8b3e
SHA1 f171953b5b7a0b4ecb0aaecb3f1e6030043878df
SHA256 fd8693a1c357dede8e553e7cd5d053fa6237f7e920d61a767738c3641f29d585
SHA512 82551c66ee00957aa7f72e3240f8816d76cf204fcf1afb3f4926ba665ae2f6c9fb6fd949b1e283da8d002c8696b321d89414465565331f87ae7db11c2cde9696

memory/4404-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3028-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3028-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3028-32-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 10:38

Reported

2024-05-22 10:41

Platform

win7-20240221-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe

"C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1308-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e241a9db239fac57bd19e627fe58c651
SHA1 b37d9cb4100b1f70d213e08065d349c1a5b6583a
SHA256 880a5187c51c24a662cc753c13099fd6fd41a86f8882557e1f9fafaac3cfcecc
SHA512 3efc12c206aa91ae580cd666c6b2c7e92812d182d6a4c61c1cd4dd5fa1d39416102d65c359c85048dccc11348dc3a4b80767169538ce2f67742f6667f9dad00a

memory/2744-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1308-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2744-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2744-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2744-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2744-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 d2b3b30c5a082a4ba32a4685fef2ba8c
SHA1 33a853bb1149348637f366e8d99f8b81cd32ef02
SHA256 d637871bc0594b2a8515d213fe629c9745750dcb34d06e66682bf95c499c1267
SHA512 4d4ef9269727b2e43c45f599a4652bf6b298f35c3b9edb430daeaba5b3f75320fe5aa302f3bdd19de7ff064c5adce9b96cff99d7ad2a32def48919ab6b124002

memory/2744-25-0x0000000000390000-0x00000000003BD000-memory.dmp

memory/2744-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-36-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-39-0x0000000000400000-0x000000000042D000-memory.dmp