Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-h2ryeasakd
Target 43d347556cc54861e67143c0b0837b60N.exe
SHA256 a78e3d341536b8ab1540131dbb51643c7681681333ca5f6e4d352b7b2597ba0f
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a78e3d341536b8ab1540131dbb51643c7681681333ca5f6e4d352b7b2597ba0f

Threat Level: Known bad

The file 43d347556cc54861e67143c0b0837b60N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 07:14

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 07:14

Reported

2024-08-16 07:16

Platform

win7-20240704-en

Max time kernel

116s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe

"C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2152-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 55ff185a28b30544cd52af035445fa0c
SHA1 3140140510f14b982ec71cb2938cf966a7517cf7
SHA256 8328b128e8691b466491225a3a7eaf9377389915bd9553151855afe4ac0edad4
SHA512 1a2772d11ffe52a2e07fcc10a7e8a7d4c3ffd6edce1e7ea3897ce9184867abfbd0c082c192cdafca1c4d98c7d03c4bedcdb56ce7fcc79a1a9f751e57fd3fdd12

memory/2152-4-0x00000000001B0000-0x00000000001DD000-memory.dmp

memory/2152-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1100-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2152-9-0x00000000001B0000-0x00000000001DD000-memory.dmp

memory/1100-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1100-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1100-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1100-24-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 48e8f8962cdc8b0e563fae4f87e033bb
SHA1 1fe63acd60ee4cf59dce4455ed6759916b95c0d3
SHA256 f1756d0b5fb7da4b43d5ec1d9fe2cb2a727bab07059062bea9896015a12f10a8
SHA512 92ac879c69a69e21012d61a7b785d0a3d9533766d18c54eb0b4f137b1f70b5882f196c25fbed98df357a3b841dc24126345bdd37862ec9c47d64762b20b8ce83

memory/1100-28-0x0000000000370000-0x000000000039D000-memory.dmp

memory/576-37-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1100-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/576-38-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 07:14

Reported

2024-08-16 07:16

Platform

win10v2004-20240802-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe

"C:\Users\Admin\AppData\Local\Temp\43d347556cc54861e67143c0b0837b60N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4488-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 55ff185a28b30544cd52af035445fa0c
SHA1 3140140510f14b982ec71cb2938cf966a7517cf7
SHA256 8328b128e8691b466491225a3a7eaf9377389915bd9553151855afe4ac0edad4
SHA512 1a2772d11ffe52a2e07fcc10a7e8a7d4c3ffd6edce1e7ea3897ce9184867abfbd0c082c192cdafca1c4d98c7d03c4bedcdb56ce7fcc79a1a9f751e57fd3fdd12

memory/4976-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4488-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4976-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4976-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4976-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4976-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 7aa55e8976cd752899788997aa75ee4b
SHA1 f6a3239199df61576131d5217aac585926ea98fb
SHA256 5cee3eae7c87d379e582a0db2469e5c7c7c1eec7de0742903d3fd72626a68666
SHA512 cdd81c2528a8b62509750a2d6a1ff7a9fdf7ec3ed87ce3c6d9481deec1b19704ce76aebf84e28222e90ba93d2805bcef8db7f512c111617297312dfb007e92f5

memory/4976-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3808-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3876-26-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 356c7aacfc473ac4e97c300d153f1c29
SHA1 57ddc6859f210bd92577ff30ce9e36e7f9114889
SHA256 547b729794b1fab6ae0e51f7cd55565f327a5e865038ac7dfbb60f51f6f4365f
SHA512 125d650ab94dd1b5b2e5dc9ea6111e92d09c96868cfc366ce16ef294da6baf4bf8d8a2b3a9626264a5ff2fc1d2977c1e23d22470075da478750c0a238fd46d36

memory/3808-24-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3876-28-0x0000000000400000-0x000000000042D000-memory.dmp