Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-mc639ayaja
Target fcdb67092c592bf0d242a5f106ec90a0N.exe
SHA256 7d5116bdfc048b09eb93ae8f8007040e1ec6ad7494cfedf92dec95380bdb0bb6
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d5116bdfc048b09eb93ae8f8007040e1ec6ad7494cfedf92dec95380bdb0bb6

Threat Level: Known bad

The file fcdb67092c592bf0d242a5f106ec90a0N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:20

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:20

Reported

2024-08-15 10:22

Platform

win7-20240705-en

Max time kernel

115s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2808 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2808 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1300 wrote to memory of 2428 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2428 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2428 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1300 wrote to memory of 2428 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe

"C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2764-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8264c9fc3dc926ca9a2e8da4bc604fe9
SHA1 1b83c0973dd45683dcf81c1758e9e21c19aae08a
SHA256 4c9f9e17c5fd21fa4f1f514b0029a79c1f98494b322298a6149e4dd9ac82ccbe
SHA512 09731fcde524b008732a1efdf7d3d41062fb3868c128c75c49f3cb152da9d0764d7e5294b83ed3238a7607361383af972c9813e3320a43dd8e3f9a00375c3f09

memory/2808-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2764-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2808-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2808-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2808-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2808-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 e23cb486868d8bbc59bbcdb954a1cfa1
SHA1 0148f6c154b69285b77bf5b003bea33636d4190e
SHA256 61e8caf3061a2316ecd2a63e3e85bd8a665cb3c3c228bd7dfe065069d752b762
SHA512 4e2b8365da8697dae892aeba0c59b28b83d6fa18b7b4cc2a89d038ef0f1ffbaef48eb78c380d74e783d876729cb3457fd8225505c35152e65b572893e9c06407

memory/2808-26-0x0000000000330000-0x000000000035D000-memory.dmp

memory/1300-37-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1300-40-0x0000000000220000-0x000000000024D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b6c1723c1ef548c9512abda6a455fd54
SHA1 e2e4c8a7ca66505927f7c1741fe288f826a4e538
SHA256 55620dc3422588316d05aee2ebdff07efbcc26400d6b036bd9d57e95eb698597
SHA512 ea8311f3cf384135c0ab2e3da93f7e59e5151ca8cc36e7813b8f1a8736e904a004fba0938f75a2145884c8aa31d7178c9ddcc8fa3e33ced828febdfe48d26fec

memory/2808-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2428-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1300-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2428-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:20

Reported

2024-08-15 10:22

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe

"C:\Users\Admin\AppData\Local\Temp\fcdb67092c592bf0d242a5f106ec90a0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4500-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8264c9fc3dc926ca9a2e8da4bc604fe9
SHA1 1b83c0973dd45683dcf81c1758e9e21c19aae08a
SHA256 4c9f9e17c5fd21fa4f1f514b0029a79c1f98494b322298a6149e4dd9ac82ccbe
SHA512 09731fcde524b008732a1efdf7d3d41062fb3868c128c75c49f3cb152da9d0764d7e5294b83ed3238a7607361383af972c9813e3320a43dd8e3f9a00375c3f09

memory/4928-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4500-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4928-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4928-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4928-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4928-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 ffe24bf3a2394d0dbdb3a6bc762b14ee
SHA1 2497e1d0985f037677a73572e527ec222b083182
SHA256 6000b0b989f998721a436294591a1172dc523437fdd6abd07437923f7c3266ea
SHA512 8c4d4bc82d04576a8a6b962c4242a1b0de2ee25425ba1451584476744bdb90a967c9b38d534e18f7a23e3445711f149dde58e23f27420cef621f932da2997ff6

memory/4112-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4928-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c743c215ef68813e9cc876089a27f8e6
SHA1 aa89cc96faddb23260e4d57ed82b59ce045de227
SHA256 82ddba550adf7fe4e4f24ad8ab0108e6f51e8144a69192362fc0e6ad965c75f1
SHA512 4e33b3a7919528a9cda687e0731cfb14e9087a11f6405fd48149937e621b190c4504fc42a527833dd0d0895e36de7e3949a53cb756bf8faaf5a989165db8a940

memory/4112-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/728-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/728-29-0x0000000000400000-0x000000000042D000-memory.dmp