Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-fh4rrawekd
Target 5a6025ecc9dfcad8539e45923a108fe0N.exe
SHA256 b65d474a32d4b85234f25a9c7d5d09f69915d3114258de39ba657a965c798dc9
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b65d474a32d4b85234f25a9c7d5d09f69915d3114258de39ba657a965c798dc9

Threat Level: Known bad

The file 5a6025ecc9dfcad8539e45923a108fe0N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 04:53

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 04:53

Reported

2024-08-16 04:55

Platform

win7-20240704-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2700 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2700 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2700 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2700 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1656 wrote to memory of 2344 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1656 wrote to memory of 2344 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1656 wrote to memory of 2344 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1656 wrote to memory of 2344 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe

"C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2276-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 14c79c671bc50c519dd04fad2b54fe12
SHA1 7b9b804ba298e60c20b26db1b5c094bc4f8f60be
SHA256 26247c5f725d7d567587fc947467a387d3b304e8777867c989ef04c62ce036fb
SHA512 97cbb66058a3e4d5529e4e76e5c84980a7d7fe0996be25fde5a7a643af328b7b5662fdd5fa64e41b8e54528fe5db8961ac58447c57fe4682f34cbf7a6c4befe0

memory/2700-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2276-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2276-9-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/2276-8-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/2700-14-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 d764968271f882157d63f5e543b9891a
SHA1 d210b0756d401504dacb66387ef9c83c376e31ce
SHA256 67f17a223f8fcc67feafacd31a140ec33ab1ec3fbe783826f34076a2f5458499
SHA512 be9968b76b017bfa6c210739f7c9d2c1a87d77fa185516d1a096fa93f227d694bf8e7957ec2b66a1e3e5136556845a56367dbf55278bfc191a354190636fe41e

memory/1656-28-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2700-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2700-25-0x0000000002120000-0x000000000215E000-memory.dmp

memory/2700-24-0x0000000002120000-0x000000000215E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d2f90a1cfb5a704ab34b4de9281d1b2a
SHA1 07b4c8512b7c15f6e1768dc34a423b28aadb09d6
SHA256 cdff25422f6b088daf90ce6d7f88093f27a5414a241bcaab66bfdf4f6974baeb
SHA512 449daaa16313e417e12dcc092dd5feb31375b707d26bcbdcb7124ca11e95f572baffe89e67e9f07c9e570cfc7467e064b1f0e1ca1c8a18508526699ec9ffd593

memory/1656-32-0x0000000000220000-0x000000000025E000-memory.dmp

memory/1656-38-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2344-41-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 04:53

Reported

2024-08-16 04:55

Platform

win10v2004-20240802-en

Max time kernel

116s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe

"C:\Users\Admin\AppData\Local\Temp\5a6025ecc9dfcad8539e45923a108fe0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 144.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/3652-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 14c79c671bc50c519dd04fad2b54fe12
SHA1 7b9b804ba298e60c20b26db1b5c094bc4f8f60be
SHA256 26247c5f725d7d567587fc947467a387d3b304e8777867c989ef04c62ce036fb
SHA512 97cbb66058a3e4d5529e4e76e5c84980a7d7fe0996be25fde5a7a643af328b7b5662fdd5fa64e41b8e54528fe5db8961ac58447c57fe4682f34cbf7a6c4befe0

memory/3652-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2612-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2612-7-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3728-11-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 873f26cf77497b4e3609b1b35d5b2606
SHA1 0fc5279f46ec29a034ad4b5208b7ea5848f0a6a2
SHA256 b8b8126347cad59ab63aa64a22767e4b9f13f0600f0fc39eaa15a9ab167c2744
SHA512 5ecf7587d4e82ef978e31e8c9c180c4c3743fa12345c709646f80c296f9cd1b08bdee19877dab9f8ada8517d12c0fe8c295e0d514e72874565846bb3e388785b

memory/2612-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3728-14-0x0000000000400000-0x000000000043E000-memory.dmp