Malware Analysis Report

2024-09-11 08:31

Sample ID 240615-bbc81axbrp
Target b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9
SHA256 b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9

Threat Level: Known bad

The file b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9 was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:57

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:57

Reported

2024-06-15 01:00

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 208 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 208 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4404 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4404 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4404 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1224 wrote to memory of 4024 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1224 wrote to memory of 4024 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1224 wrote to memory of 4024 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe

"C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/208-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2ff387b9c16e467176ac281e896725f0
SHA1 f084a51ae7551d41ccdb94eef8bb761dfd125b31
SHA256 12ee8c99a16863f16a4940c59b060c3c9c75cd2283064fdbbcdbc6e89880a1ca
SHA512 c40083b7a303cc56de79e7e7552da7314a6025f7cdaaad517176f4d4f13dec1308c407350b0885d933214c1f05743ceb93aed92865c7b25bd0165684e53365cc

memory/208-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4404-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4404-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4404-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4404-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4404-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 6f9c71fb2884d65ce16f575129419c2a
SHA1 c46ccad7324487c660bdc99c024a44a6f4498c99
SHA256 3725c6e1c440fd6df5612e3e7c5f6b7eda11917f22ddbf5fb376cc4663496ff7
SHA512 563a8dd77ae2509c42c59b461bf20393512d43ccf38aedc74f29a97ccb90b9f8c6afe595bb257a0063348ba26663a3dfe99f12d71ca0d5a22640f7052fbca32e

memory/1224-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4404-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ca39cada78414422f008d7f7fa1ff712
SHA1 7724a572a17996f7bf91c918802735fceee9e5bc
SHA256 ff046446cb0a2464403526dd6f33fe1364c185406640d1327db383da942ef5bb
SHA512 54a211b777ef3fb412510b9d59e1917f749a7cec4c0b4d2656c16ff308fe13fa8fac11334987b569af993b0e1d3fc9d1c6f8d8df17b0dd89df0a8ecbf968494a

memory/1224-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4024-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4024-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4024-33-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:57

Reported

2024-06-15 01:00

Platform

win7-20240611-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 804 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 804 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 804 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 804 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe

"C:\Users\Admin\AppData\Local\Temp\b070212172346a9a4b5ebe10861f80870bda542ba9fc8bf8a2653e13a3c103d9.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2384-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2ff387b9c16e467176ac281e896725f0
SHA1 f084a51ae7551d41ccdb94eef8bb761dfd125b31
SHA256 12ee8c99a16863f16a4940c59b060c3c9c75cd2283064fdbbcdbc6e89880a1ca
SHA512 c40083b7a303cc56de79e7e7552da7314a6025f7cdaaad517176f4d4f13dec1308c407350b0885d933214c1f05743ceb93aed92865c7b25bd0165684e53365cc

memory/2384-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2384-4-0x0000000000220000-0x000000000024D000-memory.dmp

memory/2384-10-0x0000000000220000-0x000000000024D000-memory.dmp

memory/804-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/804-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/804-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/804-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 2659dbb16e1cd52fea55a4fd6ca006da
SHA1 b6ceb79469164b1a8677e996008d2edac3ec6c30
SHA256 3e9686f850ef30b8d2c4d6864f27e2046075770c18cbafdfadf50437dde4ae00
SHA512 9af38c1ccded0bdf977e0b34dc011d973a761bbb606c0ed2e5861b5ce97edd7b6c37dd3809d4edd5fbee62b7791e22bfaad159b4ff362bb6e258ae1e2673574d

memory/804-26-0x00000000021F0000-0x000000000221D000-memory.dmp

memory/804-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2924-36-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2924-37-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2924-40-0x0000000000400000-0x000000000042D000-memory.dmp