Malware Analysis Report

2024-09-11 08:37

Sample ID 240608-y9yzpage53
Target 246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f
SHA256 246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f

Threat Level: Known bad

The file 246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 20:29

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 20:29

Reported

2024-06-08 20:38

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4356 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4356 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4356 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5048 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5048 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5048 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4800 wrote to memory of 1276 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4800 wrote to memory of 1276 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4800 wrote to memory of 1276 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe

"C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4356-5-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9cebf2f0201bebbbcef9a6a383ad404a
SHA1 cc582139dd10ad753c1b4654fc2c811766bd7e71
SHA256 6d3754fb8d8c8049a77516f2834f6001d98d69d09221e9913041b02765dcf402
SHA512 43e47e9834fe918856c8ee65b45086254f18624ae56fffc210ab17f192f1c2c73426acfd24e6f38fba79b72c255e194a17d3029e40678ef2b3040da670b69b01

memory/5048-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4356-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5048-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5048-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5048-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5048-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 6eca2aee2aa8f38b839d59f40544e3b2
SHA1 a927f98d5752bb3211517e0aef851fb90f30d427
SHA256 13e36881f2e7deb8fe0728bc6f05225802af22cd62816e19134ca9cd5c909553
SHA512 44e78480e42a012a2e143a9e6772f4fe7d0002e78ff9075c196027c4a5d2486b6f086be0e6a12804d2fffb831b9cbf528f7adaa0cd586a4e7a1c9faa57c6145e

memory/5048-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4800-23-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0fb5edc7893e1da430680ff911f73057
SHA1 84a9be3cc0cb45a6646046b1a639cd867315fa5d
SHA256 e6c75556495f35839bf8953d76453d0f4a7b1ff3582950f9f1b07b4a5455135b
SHA512 69ad5063c4cdd2320e0f2cc041dae63dcb5d6dc9333efd48a1eabf9a2eb38c87e807d369e277acc490b1fcaafcfe7273206e240cbe9f290bd88283f4ff1e6c54

memory/1276-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1276-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1276-32-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 20:29

Reported

2024-06-08 20:38

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3048 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3048 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3048 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2484 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 1968 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe

"C:\Users\Admin\AppData\Local\Temp\246ce239d15e2b241a31cb62d877cc744a023787cfcb84a802bf184bf564365f.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3048-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9cebf2f0201bebbbcef9a6a383ad404a
SHA1 cc582139dd10ad753c1b4654fc2c811766bd7e71
SHA256 6d3754fb8d8c8049a77516f2834f6001d98d69d09221e9913041b02765dcf402
SHA512 43e47e9834fe918856c8ee65b45086254f18624ae56fffc210ab17f192f1c2c73426acfd24e6f38fba79b72c255e194a17d3029e40678ef2b3040da670b69b01

memory/2192-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3048-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2192-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2192-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2192-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 586cc9daba8f13419532f8238c93a620
SHA1 30f44284c750268e5d8023c21635d3e80e4d5186
SHA256 84b90e5cb4fcfaa24c53ebf11645827146481855ba0e4200ab933e8ca4050dca
SHA512 50b4ffa221bd8e374d6cca64b65e2087c1d859d8d8ffbdc60312ff69f5edb3c7e11b9c4ed1c25b894129edf06edb8069adf7954a5cd3baa292111ce71be6f5d5

memory/2484-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2192-31-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2484-38-0x0000000000220000-0x000000000024D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 89333ff258e8e1d800e6ad708825caed
SHA1 9f71c4bcb00027799f6a1d86a5ed7639173fa59a
SHA256 680a674a3f93dc11bb72291debc32770ed41dc70e5c8ce09553e95fd25083f4b
SHA512 23b45bdb8987d9a19cbc52c76a2281f9fdead93ca31997b2cf46971ca2f96a56304a9b7472c1ebab6516b038b9bef84b8776986a2eb60d3a1caf9afbc88745e0

memory/2484-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1968-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1968-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1968-51-0x0000000000400000-0x000000000042D000-memory.dmp