Malware Analysis Report

2024-11-16 12:57

Sample ID 240815-zfrtysxfnj
Target 3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09
SHA256 3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09

Threat Level: Known bad

The file 3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09 was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 20:39

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 20:39

Reported

2024-08-15 20:42

Platform

win7-20240708-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3044 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3044 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3044 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3044 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1392 wrote to memory of 1264 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1392 wrote to memory of 1264 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1392 wrote to memory of 1264 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1392 wrote to memory of 1264 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe

"C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3032-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8050f6321b39745952ab54a16b276363
SHA1 934affe14fb4dee9f69efef3ae1a9af98dcc4453
SHA256 b7880f899721e0ce1c39ec75a290b3bc9d0faa00aed232911415c92145c17c57
SHA512 ab4a3c132a0b649209ef32e97fa2a8c5070472cbe3997451dc908373e38be4173f8c142a9799bde30dd0bc5895a1353126ce5e92b21f4398ed4cb346656b1eb5

memory/3032-3-0x0000000000220000-0x000000000025E000-memory.dmp

memory/3032-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3044-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 75897be4628e235ce8d4f1ddd3254e93
SHA1 aebc1818a4d9556ead8ed35f93e62116402dff5f
SHA256 870634ab300f5bf8404de1d300d4a2982298735913d88b98bf90eb7432fbbb29
SHA512 f99cce74db97dd406b9939d71431cd90150745915c80d9c8cf25cf8debca886fc90f2ba72f20b8e4fff8e9890e772af868e9dbc83c857cd9962572875271d2c2

memory/3044-25-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1392-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3044-18-0x0000000000290000-0x00000000002CE000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9215a48600163fd40515ee64776c6daf
SHA1 1e0b35f2cb8495d5479500167c294ecaf8e4d065
SHA256 d9f680c1739f2551b104630fe7e15adb215ece02460fe20822335e8f088a00c6
SHA512 6623d946dfac49b03a4055d065e2c459a2bc05c5280cccc910d6448de56d67fa5429117de8874103086ff3f4dfb22fe06eb2d35f5a00f75b9d26b5cc761fc756

memory/1264-38-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1392-37-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1392-35-0x0000000000220000-0x000000000025E000-memory.dmp

memory/1392-34-0x0000000000220000-0x000000000025E000-memory.dmp

memory/1264-40-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 20:39

Reported

2024-08-15 20:42

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe

"C:\Users\Admin\AppData\Local\Temp\3c1af93b495177700c6a0594f271551bc327e8741ab9b46d58f5160faf8a3b09.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4192-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8050f6321b39745952ab54a16b276363
SHA1 934affe14fb4dee9f69efef3ae1a9af98dcc4453
SHA256 b7880f899721e0ce1c39ec75a290b3bc9d0faa00aed232911415c92145c17c57
SHA512 ab4a3c132a0b649209ef32e97fa2a8c5070472cbe3997451dc908373e38be4173f8c142a9799bde30dd0bc5895a1353126ce5e92b21f4398ed4cb346656b1eb5

memory/3872-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4192-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3872-7-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3012-11-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 2d785a9dd42b37640bb87739bf2c17fb
SHA1 73d585e39773fdae0c4a6811c2233dca8635b6f9
SHA256 f6bb6d886440c02bdc581b5e03b68dd232766d417eefa2d846add265f73f88fb
SHA512 971b7b645e708f94ea7193bc79dff1b996a6e04eb178e67e48d0b635e5da098507241e276ffc779fab2b2be992399416eb152acf0a2ecef1bae1c0697f2daf2c

memory/3872-12-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5f98d89023cece35f990734a21f05e5f
SHA1 d5c3ce9e9960335e567c50cd733abe3da4849e31
SHA256 d38a3004e232c30e290ba750a11e7ef7d0374b4374aa34676fcd524742daa10f
SHA512 c0e16ae358da6e26a765763d24ac771f452e2d5902b76743fb873a45aae8704ceacba8fc0410eccc6e8695bfd3d9b81d4df88b9e2c020d90ce6f25b119093671

memory/3012-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/116-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/116-20-0x0000000000400000-0x000000000043E000-memory.dmp