Malware Analysis Report

2024-09-11 08:32

Sample ID 240610-wymfeawdkl
Target dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc
SHA256 dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc

Threat Level: Known bad

The file dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

UPX dump on OEP (original entry point)

Neconyd

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 18:19

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 18:19

Reported

2024-06-10 18:22

Platform

win7-20240419-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2380 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2380 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2380 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1224 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1224 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1224 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1224 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1952 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1952 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1952 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1952 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe

"C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

memory/2380-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 11df1141e85a062515141ea27a532778
SHA1 791386cc18ed6d67d18f4496dd62cc973666a8bd
SHA256 5f7dfc88af1ca5ebb85538ec8900a535cd4ac6491a190931213d7ad1ef73e8f0
SHA512 17e19fcbc1ced7f525c3f14d9ae1f88c8bf2dc00d11116675b6d3af08cb57a62023d8ee2bdc81a3f255484c18ec97c5cdd5459f2c8db298bc35375508a9d3148

memory/2380-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2380-6-0x0000000000220000-0x000000000024D000-memory.dmp

memory/2380-5-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1224-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1224-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1224-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1224-21-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 1f5bfa459e3beff71f2488cef7679bfc
SHA1 c1ba80fe916c9ba7bafd74d4d90cd353ec0fb045
SHA256 668a90290faa13da9c820b7a94432b8f92804825fc1cb4f6a891ae6243d94faa
SHA512 3049fcb2bcccba850130bd7275825baabb0d9b7f5cb7fc06f828eed675c28c3497afea9dd706d309da9100b2c70a0238fdaeafbae0c1f37bfc35f1f8ec1567e3

memory/1224-25-0x0000000000360000-0x000000000038D000-memory.dmp

memory/1224-32-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9c9f57e8b05ea00e446071c521c4a35c
SHA1 c8f0279a50fea1135cadc23e392be369d400822e
SHA256 fbd79fae947f8eb57b65c12b9ad6a38f463b1b9a9b65f5031895df35861d9944
SHA512 f2df935d1fea8261d1c45535cd6cb13084361bea0df0e71f65f982c834b8f525a209e45e5a519d50f3930d6a45caf097ce3a62c7152356c98e8bfa655ce7f3ea

memory/1952-43-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1452-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1452-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1452-49-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1452-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 18:19

Reported

2024-06-10 18:22

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1876 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1876 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1980 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1980 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe

"C:\Users\Admin\AppData\Local\Temp\dfad4a9b0249c10c91f7fbdb470c9114df0041ca4c6e81bad5d56143dde80ffc.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

memory/1876-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1876-5-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 11df1141e85a062515141ea27a532778
SHA1 791386cc18ed6d67d18f4496dd62cc973666a8bd
SHA256 5f7dfc88af1ca5ebb85538ec8900a535cd4ac6491a190931213d7ad1ef73e8f0
SHA512 17e19fcbc1ced7f525c3f14d9ae1f88c8bf2dc00d11116675b6d3af08cb57a62023d8ee2bdc81a3f255484c18ec97c5cdd5459f2c8db298bc35375508a9d3148

memory/1980-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1980-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1980-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1980-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1980-13-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 60df26f8750bcc981b92d3d02570f60c
SHA1 98250879117488bfc915662366a135c7af076d77
SHA256 e8469055d1ac546c1a73d6d96d6eef9ec21dcce624c2e0eec667128f6c5a4e96
SHA512 bbedfa10cb8483023bb01c4d4a9471084ca2eb30e178025c9f52bcc7f712876141a69ca03d50cb5c9190f534052410b32465dbb0d91c5b1c1911118fbae439c0

memory/1980-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4408-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4408-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4408-23-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4408-25-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4408-27-0x0000000000400000-0x000000000042D000-memory.dmp