Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-2sw1jsvaqm
Target 6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180
SHA256 6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180

Threat Level: Known bad

The file 6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180 was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 22:51

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 22:51

Reported

2024-08-15 22:53

Platform

win7-20240705-en

Max time kernel

149s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2196 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2196 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2196 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2196 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1056 wrote to memory of 1732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1056 wrote to memory of 1732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1056 wrote to memory of 1732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1056 wrote to memory of 1732 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe

"C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2348-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a2b4a322bc57c590c56a4cd09ed4c4b4
SHA1 af712caf7817eca258eac0742d8d19786f0d7a04
SHA256 dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc
SHA512 5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd

memory/2196-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2348-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2196-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2196-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2196-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2196-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 d3d933d5522db2197e9d43c1ddac126a
SHA1 3df9f95a01aaab85cb88d21fd03f7d58e300afb1
SHA256 ca0f34c55405e8366cf93ab54885b02c3dbd9101eaaf9706bc0447aa43d05692
SHA512 1af87fa818af16d1a4aeb48e78fd07a7a5875e4a5cca6dc5c1458137ee4015c7538aed3ea6bbf5fa53b077889ec2a9698dc1a91b09f6b272e790df2ec4199318

memory/2196-26-0x0000000002230000-0x000000000225D000-memory.dmp

memory/1056-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2196-34-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e9b991373c0a89cb2d032b15d3d10925
SHA1 3920c06af433271fb01a9e70b4a3bc56b30a70ea
SHA256 ad517632bf93fbc068a8ae382570a8930a528b41ecfbb25d5e8490c74c2a227a
SHA512 47fe9b7856b284ec127b499d93bfcc29f85483be8c30a30b28304ed91330c1944bb549110cfb9072002a7743c6e3b1a9b11fc289a2cb846541babc1aaa7cb16f

memory/1056-40-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1056-48-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1056-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1732-50-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1732-53-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 22:51

Reported

2024-08-15 22:54

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe

"C:\Users\Admin\AppData\Local\Temp\6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/2688-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a2b4a322bc57c590c56a4cd09ed4c4b4
SHA1 af712caf7817eca258eac0742d8d19786f0d7a04
SHA256 dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc
SHA512 5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd

memory/1572-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2688-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1572-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1572-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1572-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1572-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 204ac9ee48c24e463cd358baa30f8f10
SHA1 dc92d7f1052fdb23afe601d5427b334653ea18d9
SHA256 8cfe1926299ed218e2ab2a23a7e6167bfdf685239224a0bf3a3008413181e42f
SHA512 882af13ea7891c9c0f13fcaaea6df9f5e2cae98acd2629f4d13aac023fe22982eaabab7b6f18ae240b3d5623c97ae68fda6d4f1e4d5aa05096ff3577a60aec7e

memory/4064-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1572-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4064-24-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4064-27-0x0000000000400000-0x000000000042D000-memory.dmp