Malware Analysis Report

2024-09-11 08:30

Sample ID 240620-ancybsydjh
Target 8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a
SHA256 8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a

Threat Level: Known bad

The file 8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd family

Neconyd

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 00:21

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 00:21

Reported

2024-06-20 00:23

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4248 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4248 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2344 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2344 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2344 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4912 wrote to memory of 4468 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4912 wrote to memory of 4468 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4912 wrote to memory of 4468 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe

"C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4248-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 543410c82f8490b634419c0dc3538e3d
SHA1 455ab12d07ac106c8227fbf37c7f94a57a1c2bda
SHA256 a324a7fcae58aa4187e00b731021a1241042fe7222e6b9f21bcff3650c5d28f5
SHA512 be296076cb1a86a98a37f866c90e595b2ae90fc420415e13b33db599c3ef6893e36d44ca24455552b83f56a49701abe7b7273fa990b0a9ca69033ea55d40eb14

memory/2344-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4248-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2344-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2344-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2344-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2344-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 899428ace4d41d0629b256ae619faf90
SHA1 29c305c0e2140cbf76fc8bf11a3837a1ca908522
SHA256 667c585857eb151232a9c102fc1e3e6e491728ca6026fe0bc6c54f24eb1782a8
SHA512 aa289d867085e75707861d7af373b38a63a23174534d974cec6d6624eac1e16a4f55f0a96de90c1883b7b1fa0db5b1b9ec79f55eaea3d6248580fa83de752b6d

memory/4912-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2344-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8291f8df114aa314e1d2ece346f26618
SHA1 9e0bc936b9a3664a071f60ff0a6d2211de1f92f8
SHA256 ffcf9a4fb7df9fe822fa8133bc34e1bb49ee9aa0c7b49ff1e23ecf9865e116cb
SHA512 08bd3c295eaf8c5b309715f3522b95cc08339721787c2ea0a58c6174a83dc7287a86bdf0133661358776b143c95a1d8bd11f964b767c3cd3be4c61633ff0ac47

memory/4912-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4468-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4468-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4468-32-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 00:21

Reported

2024-06-20 00:23

Platform

win7-20240611-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2980 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2980 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2980 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2052 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe

"C:\Users\Admin\AppData\Local\Temp\8bc55600e204e023eb09abc63317dc6fb3a13abaecc30840039083c4e427ef9a.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 543410c82f8490b634419c0dc3538e3d
SHA1 455ab12d07ac106c8227fbf37c7f94a57a1c2bda
SHA256 a324a7fcae58aa4187e00b731021a1241042fe7222e6b9f21bcff3650c5d28f5
SHA512 be296076cb1a86a98a37f866c90e595b2ae90fc420415e13b33db599c3ef6893e36d44ca24455552b83f56a49701abe7b7273fa990b0a9ca69033ea55d40eb14

memory/2980-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2052-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2052-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2052-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2052-21-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 36825be1264e801f9cfe9e9b8769df7a
SHA1 f816d7dc1ebef1a90b2073941b8944453fe0752d
SHA256 14e10b960f527a178c6ab566a04615033a13d7dcd5fef9f423f3eeb2149fd2bf
SHA512 abfdc7b8255da19d05377b60d48a24a139c0693af7071a28a95c1664b39633f5e2c1abf80a1a6fb6eb4dc28199ac0b65579f2176c71d695c193bc1b5af2a8b32

memory/2052-24-0x00000000004B0000-0x00000000004DD000-memory.dmp

memory/2788-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2052-32-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2788-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2788-38-0x0000000000400000-0x000000000042D000-memory.dmp