Analysis Overview

score

10^/10

SHA256

6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08

Threat Level: Known bad

The file 6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

UPX dump on OEP (original entry point)

Neconyd family

Neconyd

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 23:00

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 23:00

Reported

2024-06-10 23:03

Platform

win7-20240215-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2592 wrote to memory of 2724	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2592 wrote to memory of 2724	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2592 wrote to memory of 2724	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2592 wrote to memory of 2724	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2724 wrote to memory of 2296	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2724 wrote to memory of 2296	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2724 wrote to memory of 2296	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2724 wrote to memory of 2296	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2296 wrote to memory of 1628	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2296 wrote to memory of 1628	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2296 wrote to memory of 1628	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2296 wrote to memory of 1628	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe

"C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/2592-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	fe07766fd4e26ceaa477d98535dff4ce
SHA1	3ffe3fba4c05f98264102b30bd0c53f0a83bc5ae
SHA256	c28499f4884e78844d3c15f70ac27b08a01f887b192865490ff9f3b4a4e3270b
SHA512	8265a55140a7e3c5f6d8a670736316f13d27e02e90f4654ccbbbb5fc8eecd00b1fd5fab6f93b3daaf22ae1f897721735e145fe35db905159c1a0acd6cd2fff17

memory/2592-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	80935e1204559d637997d4b9419ead2c
SHA1	388f168d747ccf0da4e5628d5c79f2e49f7e57ed
SHA256	aca09590f39a05516ad941fae0bd58f7fb6dc7fa30edb30e57504f35bd630d84
SHA512	070a0a796eecfb25965b1803ddcc7711b7b0f0fa7c6874e88fa9e31c30f3be52671a748a588a419820fd3890e1dd972e1877eded857b2ba8974f567cfbd51908

memory/2724-25-0x0000000000320000-0x000000000034D000-memory.dmp

memory/2296-36-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-32-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	810c4ee3f50492ede33f4c8e1b065f46
SHA1	912c00a8e073376204e2344e5d135a2aab9cc5d9
SHA256	0f35f144cdc2c82a2d6d5528acb1935fe046bb0499734791256b92583c6a8485
SHA512	9fdc1ad2764f2ef5eabf51e002d81413a78cd0ddbc2ab9163f74c7410bff42a978ec8f3dd325de88c0b21761e85ec67dcfb3fdb2ff8f5824dcd6c90fa86252a1

memory/1628-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 23:00

Reported

2024-06-10 23:03

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 432 wrote to memory of 4364	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 432 wrote to memory of 4364	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 432 wrote to memory of 4364	N/A	C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4364 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4364 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4364 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2932 wrote to memory of 4424	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2932 wrote to memory of 4424	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2932 wrote to memory of 4424	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe

"C:\Users\Admin\AppData\Local\Temp\6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

memory/432-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	fe07766fd4e26ceaa477d98535dff4ce
SHA1	3ffe3fba4c05f98264102b30bd0c53f0a83bc5ae
SHA256	c28499f4884e78844d3c15f70ac27b08a01f887b192865490ff9f3b4a4e3270b
SHA512	8265a55140a7e3c5f6d8a670736316f13d27e02e90f4654ccbbbb5fc8eecd00b1fd5fab6f93b3daaf22ae1f897721735e145fe35db905159c1a0acd6cd2fff17

memory/432-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4364-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4364-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4364-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4364-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4364-12-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	b00b92249ab4f5f71479967e58de3e0a
SHA1	95cb44fa224df30606136210397c16eb2c187f0b
SHA256	fc6003bb9b0cc5de12b5c74fba468591207d12254b14773648d759abc7a539d8
SHA512	10937276f1d3d42d2027faeac2e7ab9a0c80386b8fb4a9681ac1af1b5b7f126e9e019a12b7462815bbb94f58597cd0db3900ed6c75502a5ec9a287a12f2dcaec

memory/4364-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2932-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	f5636f3e2bb58dd97ccc9648844ec82c
SHA1	379ed76d70174f8a5ae60e0c1f2ff823def9ed2e
SHA256	62474a94d36622e9527411c0533209b597999c39b3c0ec5102761099db651f67
SHA512	dd4f92dc5ca1f9abcf2a53af3a0ca6f9fdced094dca41ea8bf02daec76886c89cded600f35c5dd70aac9fc70cfeabe64b71756b7af444bc55847cb3d43cd751a

memory/4424-24-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4424-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4424-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4424-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4424-32-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240610-2zbm7atgrh
Target	6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08
SHA256	6833c8e1e1ab2d91b54e1c7f1227d8bb333ee97dd41c876af4ea5296f0865c08
Tags	upx neconyd trojan

Malware Analysis Report

2024-09-11 08:39

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files