Malware Analysis Report

2024-11-16 12:59

Sample ID 240522-w6gj5acb78
Target f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe
SHA256 f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0

Threat Level: Known bad

The file f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 18:31

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 18:31

Reported

2024-05-22 18:34

Platform

win7-20231129-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2372 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2372 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2372 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2372 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1328 wrote to memory of 1664 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1328 wrote to memory of 1664 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1328 wrote to memory of 1664 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1328 wrote to memory of 1664 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe

"C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1936-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e241a9db239fac57bd19e627fe58c651
SHA1 b37d9cb4100b1f70d213e08065d349c1a5b6583a
SHA256 880a5187c51c24a662cc753c13099fd6fd41a86f8882557e1f9fafaac3cfcecc
SHA512 3efc12c206aa91ae580cd666c6b2c7e92812d182d6a4c61c1cd4dd5fa1d39416102d65c359c85048dccc11348dc3a4b80767169538ce2f67742f6667f9dad00a

memory/1936-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2372-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2372-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2372-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2372-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2372-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 8efddca9ba8cb8f868364dc15dd4c3bf
SHA1 38fd519142858b15bfd40750898016f2becfbb62
SHA256 7674a361a82c59486c88dfb90009c8e3a354324a7fff4c0201d763e43b75df79
SHA512 d2d33c11e490b8cab947d4ab8de3e7926fd1c4fe4493ff87332645daee30e9edc80e8f4c75692c428cbbb90bc06e44114ea9e21659a4681408868295ad9df612

memory/2372-25-0x0000000000430000-0x000000000045D000-memory.dmp

memory/1328-36-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2372-32-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c8d1a47857dbd711a4e64212f83e3763
SHA1 9250565f87ea1b5b646ba2121b86b43ac412b382
SHA256 4b61af95093f4fde311efac4ac35bc18d839cbb7a86fd0be84a0a613ca2daff0
SHA512 b04287a5bc8166751e41f8498b73e473e869a90d94fccc432842b56f5ce0f84c81e73c82c2ee7a34cefa480dc14de28b0c4f3dbe173942ff338d709fc70085ce

memory/1328-39-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1664-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1664-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 18:31

Reported

2024-05-22 18:34

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe

"C:\Users\Admin\AppData\Local\Temp\f9b9b06cc49c3e8f3c58b43ea2c12c9d6a5b7d1c8ef65ddb2af5339f959c7fc0.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/116-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e241a9db239fac57bd19e627fe58c651
SHA1 b37d9cb4100b1f70d213e08065d349c1a5b6583a
SHA256 880a5187c51c24a662cc753c13099fd6fd41a86f8882557e1f9fafaac3cfcecc
SHA512 3efc12c206aa91ae580cd666c6b2c7e92812d182d6a4c61c1cd4dd5fa1d39416102d65c359c85048dccc11348dc3a4b80767169538ce2f67742f6667f9dad00a

memory/116-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1556-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1556-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1556-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1556-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1556-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 a718cd0e647b33da76856cced1e3dd89
SHA1 cb881aed76fef87d2612d4b93d4974de62ed1e67
SHA256 264bf59d79079e1b3e0af67ff810ca488bd3c8ee57b376867a7c121a57c6f483
SHA512 652204f90432b42c0d794a5c7ac5228f543545dd0334f43322e3ab1493b12df2c657036e7090dd26431a747ecdc3598b0b0b01d325fd35af7c2356ba58cf00e5

memory/4252-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1556-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 88e1840c5f98244a0814b1e9dfb268f0
SHA1 df643a8e06d09a7b36ddebc04ac4676e5743a008
SHA256 7c72d7192bdff2b76d3dd8efb2d1c8173ecd0729b764f2e97801b5bc59c2d9e1
SHA512 579a8e2d8bb0a184e68305b8776478e7747bc33fcae07f3bea3c95c97834f66c3e54ce0c196a37e190304b8b13732b01fbe2350a5df4f192c1e59a87efbc6811

memory/4252-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2932-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2932-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2932-33-0x0000000000400000-0x000000000042D000-memory.dmp