Analysis Overview

score

10^/10

SHA256

8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127

Threat Level: Known bad

The file 8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

UPX dump on OEP (original entry point)

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:47

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:47

Reported

2024-06-16 23:50

Platform

win7-20240221-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2836 wrote to memory of 1992	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2836 wrote to memory of 1992	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2836 wrote to memory of 1992	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2836 wrote to memory of 1992	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 1944	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1944	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1944	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1944	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 2432	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 2432	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 2432	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 2432	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe

"C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/1992-12-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	38eec77411c33f9e8ba4af3a7762fae9
SHA1	7f0cca6ad0e78a007dadd9657b41b4eb70fe236d
SHA256	9579593d6d3c2b601146870257dc6659564d11e3b22fc5a14c31d9f8a48f638a
SHA512	2a2e2dcc0c94f8a6efc598d15b58358f7d93c87485a577aa370340186fb1fcbc67d4b3d20c020a4d0cca0ca8725b74a016accf447343748c6ad8bd138df10774

memory/2836-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2836-1-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	1d1c294fab1f1dbe78619b5ecbf4bb36
SHA1	899e8d7e0a9e01c78bf8775833cf6364c1363ba0
SHA256	bec13ac4d05ad648eaa022c2af42f329cfe320b903195951feb3b5bd46a4350c
SHA512	9f17d83ea05052e93c6c68b96c955c4c53372eb73e8a366d9b282345e789c5ca6aea456c5feaca3cccf1f656f60fdf04fa135c3806a66dc6a6e73092512b4632

memory/1992-25-0x00000000003B0000-0x00000000003DD000-memory.dmp

memory/1944-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-32-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1944-44-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	3376dee8f32ade8f2473c30485d0aff6
SHA1	08cceec4599e6c99154f538a56958d20ee5b5c63
SHA256	152176ddbc2d799f3c6cf1b9b8f178a42a24f9c43fe9465f5fd4b10a1de3a12c
SHA512	8dcc536a0236a992336cb1b4216ecad0db34bc8092ac5ebd70cf51a91347e5787b4577e15f7e3689c9cd8d00f3aae17466b2a9e38b5bc587533e2ab324b4def3

memory/2432-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2432-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2432-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:47

Reported

2024-06-16 23:50

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 116 wrote to memory of 4968	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 4968	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 116 wrote to memory of 4968	N/A	C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4968 wrote to memory of 624	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4968 wrote to memory of 624	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4968 wrote to memory of 624	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 624 wrote to memory of 4396	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 624 wrote to memory of 4396	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 624 wrote to memory of 4396	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe

"C:\Users\Admin\AppData\Local\Temp\8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

memory/116-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	38eec77411c33f9e8ba4af3a7762fae9
SHA1	7f0cca6ad0e78a007dadd9657b41b4eb70fe236d
SHA256	9579593d6d3c2b601146870257dc6659564d11e3b22fc5a14c31d9f8a48f638a
SHA512	2a2e2dcc0c94f8a6efc598d15b58358f7d93c87485a577aa370340186fb1fcbc67d4b3d20c020a4d0cca0ca8725b74a016accf447343748c6ad8bd138df10774

memory/4968-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/116-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4968-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4968-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4968-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4968-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4396-27-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	6e57eaf4784b6f3cf03ab459f332001e
SHA1	c5c6e79d1ef9fb271cf159ae60f4ac5eb68b5cd8
SHA256	2a3055611ffbe8c60c98bc4bfcd8ced01eeb439605bf6d6a02a5619616b7838a
SHA512	fc0406f8eda37650e71a732281f6fed477f969e9f57e54456175fd08371722d8a7c8d6441486353cf4c1ed6e9f4bed3e86e38a481838736d090aef5c40c5b219

memory/624-25-0x0000000000400000-0x000000000042D000-memory.dmp

memory/624-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	a606ce2a7ac9cdc20190e01d6dfd763f
SHA1	ee1d411e50c8362d8cd70a19dd4de2079c625739
SHA256	6b25db99a7bb6489ffbe8ea98c7f95e3ec2fd7bd1027bc584ec4db868ea8e1d4
SHA512	60513751f0a30ffbe10a25fc6ee718348ca37b73ae3457b2d427f682dad242e16ebb8ee00e79cacddfdd439952f101725cd65024635f30433df9f38736c62ad0

memory/4968-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4396-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4396-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4396-32-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4396-34-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240616-3s617aybll
Target	8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127
SHA256	8e76667889606e28036eada58de46daa93607a729e6a52511b0e183ab9c1a127
Tags	upx neconyd trojan

Malware Analysis Report

2024-09-11 08:21

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files