Analysis Overview

score

10^/10

SHA256

3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17

Threat Level: Known bad

The file 3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

UPX dump on OEP (original entry point)

Neconyd family

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 20:32

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 20:32

Reported

2024-06-18 20:35

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2964 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 1720	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 1720	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 1720	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2100 wrote to memory of 1720	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1720 wrote to memory of 1944	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1720 wrote to memory of 1944	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1720 wrote to memory of 1944	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1720 wrote to memory of 1944	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe

"C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

memory/2964-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2964-9-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d7c8a9292cdcf5f641578a103ebc7bc2
SHA1	f139b56da9b241ea006f5fc0b7d10f8da8605358
SHA256	fda1e0b613d33e702846e1ed6c7b2de3134a21b418b4c81a5acd53ff9283f832
SHA512	0b78d1554d6f1ccb04cbc1213789dc557ad0e39836db2ac7b710788fb06de33d13967b0e4f8a9ac79a620737704ea90e5041cbf85c8bbd30f444d1f3438d9de1

memory/2100-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-20-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	a126c39923e18e205d598e4214b940ec
SHA1	405cd4e9a5261e6bb3da3fcbf7147e2071c3e691
SHA256	2f44eed5a95eb25da8cc2d8309398e487fb379c240057a081229712b020c35ad
SHA512	1ba842c80c786b3e5ecf150106186f52de866d03d3c6efafe4c8846c547822f7dff441693d4e9b9a05b4e2a78c866fec430885645061cb6da751e3f1e2e41b34

memory/2100-24-0x00000000002C0000-0x00000000002ED000-memory.dmp

memory/1720-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2100-31-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	03bb72e1d88059577049b85ce464bbe2
SHA1	fa58f0280fd53250c50c8545995682c7a0bbe0a9
SHA256	0897091ef1fc8b2ab57d36feb7739be14a25f75d5997cb0bea1b3e09081889b7
SHA512	fca1f465452fbbce3511fee26cf28ffbfaf7998d3f1700e2e4c3638397ffa9cbae4cb2cab1fe74e30fb2855d802b314a4e771d3eadf7f91c2921b2162e2f5877

memory/1944-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1944-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1944-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1944-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 20:32

Reported

2024-06-18 20:35

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 428 wrote to memory of 100	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 428 wrote to memory of 100	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 428 wrote to memory of 100	N/A	C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 100 wrote to memory of 3068	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 100 wrote to memory of 3068	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 100 wrote to memory of 3068	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3068 wrote to memory of 4236	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3068 wrote to memory of 4236	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3068 wrote to memory of 4236	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe

"C:\Users\Admin\AppData\Local\Temp\3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	171.255.166.193.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.106:443	www.bing.com	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	72.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	240.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	106.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	31.121.18.2.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
NL	52.111.243.30:443		tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	174.117.168.52.in-addr.arpa	udp

Files

memory/428-1-0x0000000000400000-0x000000000042D000-memory.dmp

memory/428-6-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d7c8a9292cdcf5f641578a103ebc7bc2
SHA1	f139b56da9b241ea006f5fc0b7d10f8da8605358
SHA256	fda1e0b613d33e702846e1ed6c7b2de3134a21b418b4c81a5acd53ff9283f832
SHA512	0b78d1554d6f1ccb04cbc1213789dc557ad0e39836db2ac7b710788fb06de33d13967b0e4f8a9ac79a620737704ea90e5041cbf85c8bbd30f444d1f3438d9de1

memory/100-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/100-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/100-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/100-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	ab221912ed02a2276171fe06e9231159
SHA1	8e349a2051ac485c8f250cd9505d59de3db14349
SHA256	7172bae4ce4039507beb9ba1ac5526a05627e34c94c944dd46a6fd258124dc6d
SHA512	b3c4ada47222193dd41ab49579f08a6710a042467d1f569bab16172cc86cfedcec399163eb0334342e93db2d350c2d0720abf6824f52777b43472c94ffbd5b61

memory/100-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3068-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	0d3b5a8c8b6de176dd7afc179e287584
SHA1	663fbdc9e825a8c14bf49970be28032bdfa200a2
SHA256	b454f4226531e837bccb8ac495ab39d1b663a66ae4db57fad313266718fbb4ff
SHA512	2f0b87f2dbd512d28999b071bc082be380762ba0de7b0a171f576fd57513ec8621979b2fce1d834e26e15e5b5bf4cb771910ba3805f5f91bd024b4f911074d9a

memory/3068-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4236-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4236-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4236-33-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240618-zbjb1szgkm
Target	3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17
SHA256	3b9a6e4e502fda9ac821b6456c75a619a6a9a3c1b0403b21bd701c835bf69b17
Tags	upx neconyd trojan

Malware Analysis Report

2024-09-11 08:19

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files