Malware Analysis Report

2024-09-11 08:19

Sample ID 240616-a3333awbpn
Target 9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c
SHA256 9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c

Threat Level: Known bad

The file 9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 00:45

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 00:45

Reported

2024-06-16 00:47

Platform

win7-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2444 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2444 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2444 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1288 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 544 wrote to memory of 1992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 544 wrote to memory of 1992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 544 wrote to memory of 1992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 544 wrote to memory of 1992 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe

"C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

memory/2444-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 72e1da34967bb0a6a2bdb75e72a1100c
SHA1 9a49acdb897263411b3442c8ae7098da25cbf186
SHA256 aeeb2a2d5acdd8870d57e6230a7b51fe39ec2d64d60ae1fb94b6a96fa46beff1
SHA512 2c866671382ffd9a25ea58f145a9b3b487aa0cf07c63e68cd859a4d8d827601e5f7fd958dfeebecb45ddc13519e86aab7f9ae013cfed946f804766aa6dc700b1

memory/2444-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1288-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1288-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1288-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1288-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1288-20-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 8456b1b1d4030aa90d6c5015010b9392
SHA1 67a66d8429ab34d0a7f92c2ca080e0dc5ceef416
SHA256 975e15943f23c85f4b28bba06abcdb99e685fd6de9d453a57fe7d31e6093efd7
SHA512 d42165d7ec37a37ff0e4f359c5fe9ea184fcda65e978bbc04fb7b95cfbfc1774f4b0bb54c116083ca270742f289325930296e24362a807da3122313ac6970958

memory/1288-24-0x0000000000380000-0x00000000003AD000-memory.dmp

memory/544-38-0x0000000000220000-0x000000000024D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3c93e3cdfad9b10641b8d9d3f5e498a7
SHA1 a2530faacc5fce45cc23f3a1bf52ab97761077f6
SHA256 66cdfbafed283b4116fb5ad85d8d3834b5ca5eebafc695e8f694485fddb052a5
SHA512 c7a8d646ef12c8b5164a877889497e679a004eca891a8a2dffb441ecda9432cfa418a44ecfaec0b487c36ba554fc1e2f2d4a31993e6be1a0b83e046de0bf53cc

memory/544-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1288-31-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-49-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1992-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 00:45

Reported

2024-06-16 00:47

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4616 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4616 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4616 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3532 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3532 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3532 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5048 wrote to memory of 1824 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5048 wrote to memory of 1824 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5048 wrote to memory of 1824 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe

"C:\Users\Admin\AppData\Local\Temp\9ddfad74befd079b347ffdaa87e54f05d0936a4f4abd48d06d4e3dac73ee2d7c.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

memory/4616-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 72e1da34967bb0a6a2bdb75e72a1100c
SHA1 9a49acdb897263411b3442c8ae7098da25cbf186
SHA256 aeeb2a2d5acdd8870d57e6230a7b51fe39ec2d64d60ae1fb94b6a96fa46beff1
SHA512 2c866671382ffd9a25ea58f145a9b3b487aa0cf07c63e68cd859a4d8d827601e5f7fd958dfeebecb45ddc13519e86aab7f9ae013cfed946f804766aa6dc700b1

memory/4616-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3532-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3532-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3532-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3532-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3532-13-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f90a284ab76e583acde2a3b036d62be4
SHA1 77d41808cb4c49dcb06de356fae7354cf46f0fa3
SHA256 9af7d81e8083b8ff5f65a08808bee0ad3dedb60cb32054db73c007fdcc3f8a16
SHA512 60fe393464549198ff70486ff09191869f033ccff4e856bf33cb0d88fbd76da311b74f2afa29cf39330e3dfa3ef554cd99781426532103c87af6ad6fc03f8ecc

memory/3532-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5048-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e2f513f2a9701e70d3f712bba1d56b1d
SHA1 f09b0826d5b587b21bd9d5411ce16f30b9a47867
SHA256 784e6dc200e9b5c0ab134409c08eb9be464f04a762ba06e2e61253bc09c2d294
SHA512 539ba6c3738307be4d0b233bb29fdbc9dc96957920b11335d9a4242d36c7f267cb32da641eca95e66722e84b71af9b0b4580fbaa5bdca0a04bb4a9b17251b036

memory/1824-24-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1824-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1824-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1824-31-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1824-33-0x0000000000400000-0x000000000042D000-memory.dmp