Malware Analysis Report

2024-09-11 08:28

Sample ID 240621-dkk2bawhrb
Target c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093
SHA256 c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093

Threat Level: Known bad

The file c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093 was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

Neconyd family

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 03:04

Signatures

Neconyd family

neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 03:04

Reported

2024-06-21 03:06

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3068 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3068 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3068 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1736 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1736 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1736 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1736 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe

"C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

memory/3068-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c969e4d8611084ccb26c12fbde1f6d97
SHA1 e2bcc63fe01b638fffefb191d7582d543803c3d8
SHA256 f8feb1df2a4086581cdc552151cd22b8b328320c348f4d7245791ac3db3df8ff
SHA512 e5668caeadcc31163a12813d249aca09e48d3ffe28644f9280b7329239f31cf0f692a1a0f7592fca02680cad74146462a64a4cd92b960715fe1ec42936b358e8

memory/3068-4-0x00000000003A0000-0x00000000003CD000-memory.dmp

memory/3068-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-21-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 3531b22a302b84a86b761a9c8a3e5449
SHA1 f014c4c73a04e5908d763abe2092442d6cff943c
SHA256 eb0a3af5322bc79b6d1eff07e7fc697250980d7ff90b06e8e5897c9c61e5c3a8
SHA512 6c2ae1a9f1bc5dba7f7360a3dca78f46053d2bcc235f3369d96a760bd809dbbe4f139db5a4a1345fe141baaf793c53ff6d3696d0a6a1eb81ca0f945f820e5920

memory/2184-32-0x00000000003C0000-0x00000000003ED000-memory.dmp

memory/2184-31-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1736-34-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5e3a2939ce815978813937c945c9c3e8
SHA1 fb049348ff604350934847a88fec85d98396cccd
SHA256 6d6160a3cd56cef46aeb0b1ea67b223f54e41dba2afe9f826aa28976f6487683
SHA512 6c1f82461142cc2e546ee9d7962e1347187b98fd09bf6c1d88982b7114df6cd56ad0ae690bed7b4d032b347bb9fdf4cc8b9bd9e291dac22d31b4ff514c08cc89

memory/1736-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-49-0x00000000003C0000-0x00000000003ED000-memory.dmp

memory/1600-51-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-53-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 03:04

Reported

2024-06-21 03:06

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe"

Signatures

Neconyd

trojan neconyd

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4512 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4512 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1628 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1628 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 692 wrote to memory of 4324 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 692 wrote to memory of 4324 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 692 wrote to memory of 4324 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe

"C:\Users\Admin\AppData\Local\Temp\c030b1de23d9ec70b3780d5cc12e43a7153cafbd5ae640c7fdbd4bd951c3d093.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
NL 52.111.243.31:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4512-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c969e4d8611084ccb26c12fbde1f6d97
SHA1 e2bcc63fe01b638fffefb191d7582d543803c3d8
SHA256 f8feb1df2a4086581cdc552151cd22b8b328320c348f4d7245791ac3db3df8ff
SHA512 e5668caeadcc31163a12813d249aca09e48d3ffe28644f9280b7329239f31cf0f692a1a0f7592fca02680cad74146462a64a4cd92b960715fe1ec42936b358e8

memory/4512-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1628-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 b6a8cbe02ae0d2649c01fe01b246ea48
SHA1 8ea31e20aa6d7738f15ada92cdcdb42bcf43732f
SHA256 2f4d8c663036c0287bf0527f10c50b95ceed57cfc3d31da4edb946ea5f5f056b
SHA512 bd649a3100866c5f551ebc669f6538a1d7f1d5a0ec6be46e418cfef57df022f8ea9eba3eebce1beae2f9c9d89c138712695800e70295116985cd152136ee7bab

memory/1628-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/692-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/692-27-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7c9bbea4e90bf8c123078ba5410c9080
SHA1 a6a90ed312e350321c57d1755984eb6de2d2a1bb
SHA256 fa4148e7a3cfbb923f077a78a09a16836e61eeae52933ac9d21032318983fdff
SHA512 f07f3d0fefcb0a43a40d045ba4d6a8b24dac8e928c29c8fe9fa8806b9b81496f324c202ec8c62455b557981333c9e22bcdc3bf9cc70ad8ea94d07ec13916480e

memory/4324-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4324-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4324-33-0x0000000000400000-0x000000000042D000-memory.dmp