Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-maewzsygmb
Target 4a3f11749bc8b703f5db7e870dbedc80N.exe
SHA256 f3e7542357ba53f7b28b1e02795a81bfab6dde6a0bd8735c55d588fd9f20edf2
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3e7542357ba53f7b28b1e02795a81bfab6dde6a0bd8735c55d588fd9f20edf2

Threat Level: Known bad

The file 4a3f11749bc8b703f5db7e870dbedc80N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 10:15

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 10:15

Reported

2024-08-16 10:17

Platform

win7-20240705-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1984 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1984 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1984 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2320 wrote to memory of 1904 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 1904 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 1904 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 1904 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe

"C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1984-1-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4ffc9955513891d6bb348e88762b44b6
SHA1 a09b5ce1e090a139315f08635d257e0739ed278b
SHA256 d24a71794becdd42494c2764400e88a4ada576fd21e059855515fa2307c299bb
SHA512 dc8ecb4604d6dbff62f0efc0ee69a502c3688b65441e238392acc8f9c7ca2d505ee3adfe854f8e2279d34527e7ef7e16ffd9550f1c099fda02c4f7ca4d9ce225

memory/2360-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2360-11-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 4d2564ea9d1e7c4443f95c77c3be4fd3
SHA1 bc94768c2d2a130916b43638ae7a8085a473dec7
SHA256 c36e028b980a57f9776be8eccf3a5444f07824d1d0ffab53f7c53e1f38b0e7a2
SHA512 cb85a8b9d969913540364a0260e75e891835e53fd4ac4e94bc56f6bf3c44397fe44c6e110e91912b5fcfea484b9725eff1f10bad1d887ee6f1db6e08c6f0c2b0

memory/2360-16-0x0000000000440000-0x000000000047E000-memory.dmp

memory/2360-22-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 90250173e3fccf3b0ac3ffa257758cb5
SHA1 a7b747d3b40973fbed5de2efcd19e15751d54460
SHA256 8c28c477ae66649d491d0ed079c12e0fdba2d1b2cecf39d9519cc4e69fdedfdd
SHA512 93a8748c4f39610644711e0760a7ec7f89831c8836364db6b9c4b8b45c6a747f2a3274e324434dbc679bad812c23a9938f77896b23481468e79671c5b2442c33

memory/2320-28-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2320-33-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1904-36-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 10:15

Reported

2024-08-16 10:17

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe

"C:\Users\Admin\AppData\Local\Temp\4a3f11749bc8b703f5db7e870dbedc80N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/920-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4ffc9955513891d6bb348e88762b44b6
SHA1 a09b5ce1e090a139315f08635d257e0739ed278b
SHA256 d24a71794becdd42494c2764400e88a4ada576fd21e059855515fa2307c299bb
SHA512 dc8ecb4604d6dbff62f0efc0ee69a502c3688b65441e238392acc8f9c7ca2d505ee3adfe854f8e2279d34527e7ef7e16ffd9550f1c099fda02c4f7ca4d9ce225

memory/4556-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/920-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4556-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f4f5efd9df851afd5c8ed9db763d1544
SHA1 f92d935152833dddb608e716856cea8aeef93e46
SHA256 692f3162fdcbf0e2a55cab9070bb981340a481f1e74bef8a8856e7aaf9f72a6e
SHA512 af867245151eedbdaae757509867c21127107efe1f49f4e5787f48c3595487acef0c49c6f747427da19defde75c7c8ee9198d665ab2d66c291be8eb75addb90b

memory/4556-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/764-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/764-14-0x0000000000400000-0x000000000043E000-memory.dmp