Malware Analysis Report

2024-11-16 13:01

Sample ID 240523-c4qkgaba89
Target 7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe
SHA256 7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f

Threat Level: Known bad

The file 7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 02:38

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 02:38

Reported

2024-05-23 02:40

Platform

win7-20240215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2852 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2852 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2852 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2852 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2148 wrote to memory of 340 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 340 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 340 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2148 wrote to memory of 340 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe

"C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2800-1-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 747a912e7c5c5e0f9b2c37c549a81700
SHA1 d73df6317c5429eb1ee1d7fe9070d65c805b3c20
SHA256 f6c288c3d50782bac08ce5334fce9ac97ca9a412975d338b0bbd9c48edc12b03
SHA512 d931a7015ca377228238a33d39c4cf8f9d21271839f82c030fdcf72347b4c4943164905732562b30aa065d4f480789617bcf5e1f305576146b040fdf5fce4fd7

memory/2800-10-0x0000000000430000-0x000000000045D000-memory.dmp

memory/2800-8-0x0000000000430000-0x000000000045D000-memory.dmp

memory/2852-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2852-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2852-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2852-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2852-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 bab740e1901a5aa6103de7cbd64d830c
SHA1 3062f25a018281d57ee757efc5f429e341473ff3
SHA256 7d4937048964fc208368a835622583820b5ac51b7fffd40d1d4531594731e94a
SHA512 db42c0621336cf00a738c1e11036e7c43ee06b3afa56da05798aa70cffb06a539d0e592a7bb979e5370885cefb933f2c4797aad9baeaaf295d55a08f8b989afd

memory/2852-27-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/2852-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2148-37-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 11c39311fc57dd3b1dd6e0ffa492214c
SHA1 74ffeb3efb2700919ee381e0d917437b8fe3ae39
SHA256 8674cc48b0bc117b572c35e6e158d7c152b1a0e7defcb640d90a9fedd814a398
SHA512 32dd983867cf13072800d609f6fbb09082515e919738662758a887cedb63da9653ffe97870c2343b5fe8151a8ea779b6144d71c15e7d33a789ac45d4fe7bb1fa

memory/340-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/340-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/340-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 02:38

Reported

2024-05-23 02:40

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe

"C:\Users\Admin\AppData\Local\Temp\7987ef4c639a7a865312889bfd976edb86e8c642da3b4d7cbe2d6240e72e577f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 52.111.227.11:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3472-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 747a912e7c5c5e0f9b2c37c549a81700
SHA1 d73df6317c5429eb1ee1d7fe9070d65c805b3c20
SHA256 f6c288c3d50782bac08ce5334fce9ac97ca9a412975d338b0bbd9c48edc12b03
SHA512 d931a7015ca377228238a33d39c4cf8f9d21271839f82c030fdcf72347b4c4943164905732562b30aa065d4f480789617bcf5e1f305576146b040fdf5fce4fd7

memory/3472-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3356-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3356-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3356-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3356-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3356-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 0c00f02ff814142b6ad8a352f13228c4
SHA1 7d67a38653c17f75f64086485a158ac00e9e45dd
SHA256 0f6a67886019d650a8cb32ac92cc2155de4c8df8c9089f1fb293445b53daae5a
SHA512 34b9d8ae4eb3ec4fc2d320b3f97a121ac00d97ee8cdaa96e33dcbc9534f0b699516d654d2c724cbadf98bbec5f2359f6c588fa7e9cffc7c18c9b782f5991296e

memory/3356-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3480-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 56ce10ddc8a1d3ca7d0bcb758335ee68
SHA1 082130b08780c6c1a1da23dc3de8a7f6fe2e87ef
SHA256 2caea9708f6ab2807eceea782c56d93edfc07f850889e0dcf28d50f4403446e4
SHA512 9e25a81b937c987e3f53c02592e36026d488e9e61c6a3b1882594f6001958a44488d423537f9dad60f33d2e0c7ef2c21dc2ac642cb06dea5da92c631d38f89ac

memory/3480-25-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-32-0x0000000000400000-0x000000000042D000-memory.dmp