Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-bqx7qaxbrg
Target a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136
SHA256 a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136

Threat Level: Known bad

The file a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136 was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 01:21

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 01:21

Reported

2024-08-16 01:24

Platform

win7-20240704-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2900 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2900 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2900 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2064 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2064 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2064 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2064 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1952 wrote to memory of 1744 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1952 wrote to memory of 1744 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1952 wrote to memory of 1744 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1952 wrote to memory of 1744 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe

"C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2900-1-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2900-9-0x0000000000220000-0x000000000024D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2d463611deac729a3c81eb8d17d0e722
SHA1 d95eac8731193ba20eb711ec4ffaf33aeb6eaca3
SHA256 d172a64ee8948c41e869a35138d67791708460aeb216c5dcbb82bdceda4a1f7b
SHA512 8e23086e2bbdf4751c6f47e55b0c6a2faa698fac68b605237ea4395c159d8b3b65abd705df526ba53fb7f48eb72f541b382583ab8be9420c0e994e0d936c6ff5

memory/2064-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2064-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2064-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2064-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2064-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 5c3a8d0945bb9c8e8c7c766e1b4bc141
SHA1 f701bc8cb1658cfa6471126e94b3bb0c722ca35e
SHA256 c064fb75ae25f69fc387f7f201b375e9cf40cf121901e6d80ddc6ec9fd232aad
SHA512 3ce002949a18b80501f92d73446988882e7c76dc5224bf88c537d436dc18b9e14f5cc3eecd0b3e536250102e2cc8a80f46bab4e3177356e436953db6fc542b4e

memory/2064-25-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/2064-33-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 400698190fbb382296834595d9d344de
SHA1 e00d691eabf38483c63d8d946a72508f953d01b3
SHA256 8599150c8a7c8e3a7f5a5437d62e677e8d27f6f065624b47281bb33f055fa170
SHA512 027b59d751e86c0e0d0d592e40c63d25d1f2d9052cea5c13572d8d5b9fc96ee8f3310a87a1c075af35a0191ab737ef3199dc2be5597cf8c287f7e031378c1579

memory/1952-40-0x00000000003C0000-0x00000000003ED000-memory.dmp

memory/1744-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1952-39-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1744-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1744-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 01:21

Reported

2024-08-16 01:24

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe

"C:\Users\Admin\AppData\Local\Temp\a643874834d52fef62f64397983b3cb1b4b54dcc73905b6dd81a1d151acbb136.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3868-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2d463611deac729a3c81eb8d17d0e722
SHA1 d95eac8731193ba20eb711ec4ffaf33aeb6eaca3
SHA256 d172a64ee8948c41e869a35138d67791708460aeb216c5dcbb82bdceda4a1f7b
SHA512 8e23086e2bbdf4751c6f47e55b0c6a2faa698fac68b605237ea4395c159d8b3b65abd705df526ba53fb7f48eb72f541b382583ab8be9420c0e994e0d936c6ff5

memory/2916-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3868-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2916-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2916-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2916-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2916-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 b1b79180ec906a75af9feb2fc1f337f1
SHA1 001ae13e3a8dc464f46d6f3da128540d74f2dcf6
SHA256 b5613ca42ffb0cc1851b88e6b972a223ca3ac7be883c0a0b2040aa58efaf8204
SHA512 37ba71cbd387ab0539a9fc6b6138f68027bec34ee482e02186e43964dc9368f88da0d48c86b9c6c2b143c30503d376f85daf4726cee9dbb74f683f41e6fbd8b1

memory/5004-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2916-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d7e714d542d9cd8b3aa5fd0e1f38054b
SHA1 c5e1db8847aad4b71ff49785ba56f30c1f8e5042
SHA256 222211b9dcdf64ef1bff42448e8ffa034e1e1925fecf46fd8e0ff6eea8838e36
SHA512 a5f15a59acc27b024707c5a0866cdafa3da292e6de226d13d96380857c2d7c09769a2f2a184cdbbe7b42f1d1746b376165a5cbd3adbe4e884ac4bd8567558531

memory/5004-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/436-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/436-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/436-33-0x0000000000400000-0x000000000042D000-memory.dmp