Malware Analysis Report

2024-09-11 08:39

Sample ID 240611-fa1p5avgjr
Target eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98
SHA256 eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98

Threat Level: Known bad

The file eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 04:40

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 04:40

Reported

2024-06-11 04:43

Platform

win7-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2364 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe

"C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

memory/1968-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1968-9-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 60d964246020891a96f590a9d187083f
SHA1 488fce6fa2d29e2459fc88529b44f18b50305546
SHA256 97feb903085198668d36e3ba3d8a61df5a392e3c8a06c5c3361f8ee264beaff2
SHA512 2b3841421a021f88550b6b65fdca32fc46648363ad8bb10065b4410bb75e25287d8d0e3dc879e9f3c8506a424f24e48690ab473b292eae5dc9860f5731996aa7

memory/2100-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-20-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 12d42d544502cb0406da8ca0f847337a
SHA1 a5d5fa09062948eb6e0735903e41df4672f2f993
SHA256 ce1e178cccab5832914dfd2c406c24e7cde28428ca66124b0dd9243c64d6362c
SHA512 c4be4cc56f339b38f662011c5ec0031c643bf85c29d3ed5d8a632c28d347d805516c48afbeb5d4d1dfd57a5e5c9d6fe1f463025546ff131fca7a78c90ac662e7

memory/2100-24-0x00000000003A0000-0x00000000003CD000-memory.dmp

memory/2364-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-31-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 60783b8c56efe18d12a7852913e9caaa
SHA1 5b4633eea3b7b7aa3d65d989a9e305685fdbb546
SHA256 41b1fa6ffd0236b5567269a7f5bd424276f1c25b05d0d6cebc9355c93edb984d
SHA512 a90f92c2d67d47b6f2e8094d3fff8d711e4e2fd33144adb9da52740990e61c52b220a5bceaa3fe8f83f287c28b843c2b670360193e9ed6903094c643bd519d79

memory/1196-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1196-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1196-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1196-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 04:40

Reported

2024-06-11 04:43

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4072 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4072 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3136 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3136 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3136 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1516 wrote to memory of 4528 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1516 wrote to memory of 4528 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1516 wrote to memory of 4528 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe

"C:\Users\Admin\AppData\Local\Temp\eb1cdac20e0ccb0094146c3b7d8d7e53de2d99c2ec3273b99e7a5f60817c9e98.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4072-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 60d964246020891a96f590a9d187083f
SHA1 488fce6fa2d29e2459fc88529b44f18b50305546
SHA256 97feb903085198668d36e3ba3d8a61df5a392e3c8a06c5c3361f8ee264beaff2
SHA512 2b3841421a021f88550b6b65fdca32fc46648363ad8bb10065b4410bb75e25287d8d0e3dc879e9f3c8506a424f24e48690ab473b292eae5dc9860f5731996aa7

memory/4072-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3136-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3136-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3136-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3136-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3136-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 4ea34dbb99f2ea6e7770f792a33bf386
SHA1 57e0d7eb8de250120cb4bf84dc853c24980d6aa0
SHA256 10e6c3bedef2f97542db16d784b2e47ea1fd654b9acf539e98eccd35cb8aab78
SHA512 6a483e0c0cd9fa1b2e0a4c6a814e825cab4e6e00955aa0e9c09a7eec60c8116be4492cba227deae308b700516ee5809e8d98f673463d89d0a65bbf127ea3b9d3

memory/3136-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1516-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1516-26-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f03d30d2d79258fc8995d1c8fceade43
SHA1 1ce5a8999b4643c67661c28a3b542353bdcd6601
SHA256 43b10a8945047224d39e50fdd7021dc5553fb947d5d515543ad86c73152b74ec
SHA512 a2f2e10962120a13a628933eabfbcc130f0e2464a6064e063540027cb753e2b02eaca2c7313dbc77e60f553e0592f2c69df13f3c23341ef07bb8a88cbe14a1c8

memory/4528-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4528-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4528-32-0x0000000000400000-0x000000000042D000-memory.dmp