Malware Analysis Report

2024-09-11 08:27

Sample ID 240619-avlh2svaql
Target 987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a
SHA256 987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a

Threat Level: Known bad

The file 987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 00:32

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 00:32

Reported

2024-06-19 00:34

Platform

win7-20240221-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1260 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1260 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1260 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2708 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2708 wrote to memory of 1976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe

"C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1260-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dc480dacb0156401ef14335790bcd466
SHA1 e0a08c40d23ba08b90c62d831b40782d0752a49b
SHA256 418395da622c4f81f93db174b004a19d105e4d6fd67d5436642f8162a295665a
SHA512 439dbe19e2a54133494f0508a537be23bbeb46d4d705be53ef537847350041aeec2fdd0c7b61c26e515d27060dfb080a14c9aea4c310c25ade239ee3a1c31607

memory/1260-10-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1260-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2140-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2140-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2140-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2140-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 ec8cec4f9033f74f7677ca560749f7e3
SHA1 14188c0612c13c279f94d60e47f0ec2ce18499d1
SHA256 f46bcaf3c70bbcf73bc5b8b9f7a97f77ad14c2b518498ce99395f87cff2f2d87
SHA512 60f982d861fa37de0ba884fca8492b560cb34cdbf726e54f2d233af9b7362243861e05fce9ce807b52156d5df7ee35cf4111057e8224324af31090be9bd44083

memory/2140-25-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/2140-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2708-36-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b1fbf6370ad3d99b5000a5552c5823c9
SHA1 7a4bae0b3a05aa47e9c31e3abf1100eca3fde0f1
SHA256 ddbcb01ecc2ad60c3673061f7089bedb1a3571511055b906452eb88e90b66dfe
SHA512 ba2a7cc52e265a135c9a195d4c758261934f214ce9bfd0b137f17df6fda6d80aec20ad0a24b372810a29833646fc8d57ca0db128f12b004bc3e912901e68c4f5

memory/2708-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1976-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1976-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1976-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 00:32

Reported

2024-06-19 00:34

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 216 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 216 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 216 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5112 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5112 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5112 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 3248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 3248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 3248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe

"C:\Users\Admin\AppData\Local\Temp\987d11c803f38d8b39f5b2e26ec624459613f4b677f34a443d488d48fec0301a.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

memory/216-1-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dc480dacb0156401ef14335790bcd466
SHA1 e0a08c40d23ba08b90c62d831b40782d0752a49b
SHA256 418395da622c4f81f93db174b004a19d105e4d6fd67d5436642f8162a295665a
SHA512 439dbe19e2a54133494f0508a537be23bbeb46d4d705be53ef537847350041aeec2fdd0c7b61c26e515d27060dfb080a14c9aea4c310c25ade239ee3a1c31607

memory/5112-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5112-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5112-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5112-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5112-12-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 4ad63269b6c4f7c838824715dc6551e5
SHA1 8fc62beb5c9f56ac1ed41d8e659366a794acbdc4
SHA256 8791b852f650990dba46a557261b0d6968740b6e2616f1110eff384ed019802d
SHA512 8a7b142a4da5bbaffabbde7aa0e0d8d7daf7300997372944f74bb4f2dc07527a41be740b2997d139e9bca3439a08a3cdd221ec91b5cfd5a3d96da8bec0cf9ff4

memory/5112-17-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1f9e530d8f64957fa7b0b01cdd1fc4ce
SHA1 e4e916567bf3433e398accf5507bb3992e89300f
SHA256 2d9e816719a00c9fba32a7c204b2e2878e5576b95d862540b55d6cb69b171f3f
SHA512 08a47f3d41e89927c3ad44fab47b0a98cc209abd5f489bd4587ac0e4267d02dc303a2301184e5bb813a3af6f6526382d004bd77b7a5cea54ab8572e6b3b3f7db

memory/3036-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3248-23-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3248-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3248-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3248-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3248-32-0x0000000000400000-0x000000000042D000-memory.dmp