Analysis Overview

score

10^/10

SHA256

4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2

Threat Level: Known bad

The file 4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

UPX dump on OEP (original entry point)

Neconyd

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 23:17

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 23:17

Reported

2024-06-08 23:19

Platform

win7-20240221-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2184 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 2728	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 2728	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 2728	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 2728	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2728 wrote to memory of 1608	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1608	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1608	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2728 wrote to memory of 1608	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe

"C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/2184-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	e2adea8aedc1637e781d0a59dec101be
SHA1	51d5a770910a50d6377fee7481a9c777d624364e
SHA256	475b463606742af95a5dbbfdbae95057ea0143449593d64d7c3f8159945813cd
SHA512	fd1e591719cb84972c022aa75a885a57bd356f08658ed4be9d7700e009598dade6dd672ceae7118e1c51d009fab0d3bc9dc2a7c7fbd00952533e3dd67b5f645c

memory/2012-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2012-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2012-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2012-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2012-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	a9d3ed7a2dc69f662f2a8e853fc83d3e
SHA1	5498bc194a1b2705c8b01947e3076d4ee360d863
SHA256	324d9020dd6f3f132f8a90effa66d6541168d031093bbdc9669c345fd8878d48
SHA512	c08c6246167de706f6dd19e9926779f9c6ee877bc768994ec135fa24d3785f66d3390776f91930ca72363060879c5cdeeddb7a91b292661d889f9779b7d86d13

memory/2012-25-0x0000000000370000-0x000000000039D000-memory.dmp

memory/2012-32-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	1607d3fabd9b95f05303ed4539bf2371
SHA1	4e7205eb340f0305f046a62d2f13fb891a0aa8eb
SHA256	90cedb0afdf46f1f979dfaa9bdc5425433b3ef47a029d6e72ce066c373b5787c
SHA512	5dfae15cfa5460de3843cc7b4b950bd2ce129dfb89b4831890d33c9e2f365159c4880a223a91ed4ac47545328441478185da4453a6a8e1794d10ed8032e179d9

memory/1608-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2728-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1608-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1608-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 23:17

Reported

2024-06-08 23:19

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4820 wrote to memory of 4376	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4820 wrote to memory of 4376	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4820 wrote to memory of 4376	N/A	C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4376 wrote to memory of 4032	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4376 wrote to memory of 4032	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4376 wrote to memory of 4032	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4032 wrote to memory of 3832	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4032 wrote to memory of 3832	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4032 wrote to memory of 3832	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe

"C:\Users\Admin\AppData\Local\Temp\4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	144.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	133.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	24.73.42.20.in-addr.arpa	udp

Files

memory/4820-1-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	e2adea8aedc1637e781d0a59dec101be
SHA1	51d5a770910a50d6377fee7481a9c777d624364e
SHA256	475b463606742af95a5dbbfdbae95057ea0143449593d64d7c3f8159945813cd
SHA512	fd1e591719cb84972c022aa75a885a57bd356f08658ed4be9d7700e009598dade6dd672ceae7118e1c51d009fab0d3bc9dc2a7c7fbd00952533e3dd67b5f645c

memory/4820-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4376-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4376-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4376-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4376-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4376-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4376-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	d35e92d956e0f50a75c6e934146bdef3
SHA1	f747691742950e34de24b51da7fc74495846c8d7
SHA256	8ff45b8b0a3389a4bd1b1ac571c526f6443f9d8eb1a6769966f2159ee6f2ac0f
SHA512	7cb9044477d1e4d8ebe0fdae1a6f94ea7c39469f1d1b62f07660a68c7652b2b802b49e408a02505340ebf5047a1d33121976872b91ebc9d99b4c6ba107728f88

memory/4032-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	228e425210ac020563b2b1b6f28f5aed
SHA1	3f08728720c29a3ac8a0608bd56f3523eba431d2
SHA256	ce34686b61de6932a1322196bb096ef08542782a7df8d647c1ff7fb767f3dedd
SHA512	85cc8888f4969d9a9e616a95bfa32b922cd1b9c3326b94e90572e6b33ae0d222a652741bff7512b199661d4e6ed5b7eebb1eeab6b2875470dd761a8d18987064

memory/3832-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3832-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3832-31-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240608-29nqhahg7y
Target	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2
SHA256	4fb82184aebe8134de442d7936d69cb45ba5f9dcb6a8fbba2697733fe05950b2
Tags	upx neconyd trojan

Malware Analysis Report

2024-09-11 08:37

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files