Analysis Overview

score

10^/10

SHA256

f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5

Threat Level: Known bad

The file f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

UPX dump on OEP (original entry point)

Neconyd

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 06:44

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 06:44

Reported

2024-06-12 06:47

Platform

win7-20240611-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2084 wrote to memory of 2000	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 2000	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 2000	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 2000	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2000 wrote to memory of 1688	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2000 wrote to memory of 1688	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2000 wrote to memory of 1688	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2000 wrote to memory of 1688	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1688 wrote to memory of 1956	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1956	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1956	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 1956	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe

"C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/2084-1-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2084-10-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/2084-9-0x00000000002B0000-0x00000000002DD000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a86ff7799cf161988cff78ebde14a55f
SHA1	fe16879b5347c9add85db00e565eabd035e7720b
SHA256	f9fadfb79d2947f0f124ed0c03e9383e5e5f9eb0ff55f1a6ec3081b64ff76a16
SHA512	f65c9c5fb2cff6a1d6a2374077a903de8beaba842a05af82a5851937d0e5c34e18710874d838c7677be114c82ae1b51512d77a22352e451e7db18bee4078dfdb

memory/2000-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2000-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2084-16-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/2000-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2000-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2000-24-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	3fe970203a30f0159b9b484bb6fc7524
SHA1	45100dfd92f29823b1b9fe1da0665df3669bf300
SHA256	e2144d25e2637124d7ddafa59cbe7afedb27c6fd41a65ca9c7d942f75fe51fa5
SHA512	c5e17904cff25eaeebdaab45b93b2463f30090062fe93f2c7b16699c4141928884a3f0cae38032bb1b40690e926a9e4315b7a4689cd4be166c4c9c0c2bc41b33

memory/2000-27-0x0000000002280000-0x00000000022AD000-memory.dmp

memory/2000-35-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	332b12c9635bd74461b288dd06207993
SHA1	c4ba2668fe22c81ad659da667023d1d698c1771b
SHA256	aa53ee6fe332d5c53a67d02e4d3fdeae7cb9105f39d9a7e9f122fe2cbb0b1456
SHA512	420260d2f52dd244b6081fab602b6c8db14050259e7faa4ef2add5f1fe79760c74ac17f64cf4cbf4a12bf0baeaa6db0988bc963f4428ca4f8ca94de4a1d8f1ba

memory/1688-40-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1956-50-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1688-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1688-46-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1956-51-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1956-54-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 06:44

Reported

2024-06-12 06:47

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 764 wrote to memory of 3968	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 764 wrote to memory of 3968	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 764 wrote to memory of 3968	N/A	C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3968 wrote to memory of 364	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3968 wrote to memory of 364	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3968 wrote to memory of 364	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 364 wrote to memory of 4444	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 364 wrote to memory of 4444	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 364 wrote to memory of 4444	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe

"C:\Users\Admin\AppData\Local\Temp\f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.58:443	www.bing.com	tcp
US	8.8.8.8:53	20.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	58.61.62.23.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	30.243.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53		udp

Files

memory/764-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a86ff7799cf161988cff78ebde14a55f
SHA1	fe16879b5347c9add85db00e565eabd035e7720b
SHA256	f9fadfb79d2947f0f124ed0c03e9383e5e5f9eb0ff55f1a6ec3081b64ff76a16
SHA512	f65c9c5fb2cff6a1d6a2374077a903de8beaba842a05af82a5851937d0e5c34e18710874d838c7677be114c82ae1b51512d77a22352e451e7db18bee4078dfdb

memory/3968-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/764-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3968-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3968-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3968-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3968-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	d91a476df7e56c3097945f785716e290
SHA1	50628dc466029376ebb4d7f485ec39dd130c0bc2
SHA256	2bb1b9678f8688e82b915404cc41a4f642d5e78164ae780f7e072f3e18af5028
SHA512	41f0a2b06c55e524add7eb2e0425e9b0fafde69fec42a647730382297433e3c12fe507d70f49c6d6c202be558dbfa492add7a3b53d61a0dc2faba1a189e51a0b

memory/3968-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/364-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	58fd8fda2dc3402b675e139c1948183c
SHA1	cffeb77eea88f332139619e6a36abd0a1a5598cc
SHA256	c6b4ae83d61336edf2cda378475880737bec378bba1e1f44c96c02f16bfd00a7
SHA512	b5d3a79547db1cfab34aa4c3dff41672a55652472127924e9cbaab8f5d5e5b66fedf6c3b3a3fb1fb308df34d715700d7ed92dffd260b99cef17f33ff1ed36d9f

memory/364-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4444-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4444-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4444-33-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240612-hhsetstape
Target	f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5
SHA256	f167355b0c1cba9cf0ead74a8a64af909494c6beea7322ab3eefb8642d9a0df5
Tags	upx neconyd trojan

Malware Analysis Report

2024-09-11 08:40

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files