Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-nza5rsxarp
Target 741ff93c21af15ccbdf259b024cebb40N.exe
SHA256 b52f3ec3d5ee78c2ce147ff2f2d85dc2cf8d65b10723520602cd8493aaa1b5c7
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b52f3ec3d5ee78c2ce147ff2f2d85dc2cf8d65b10723520602cd8493aaa1b5c7

Threat Level: Known bad

The file 741ff93c21af15ccbdf259b024cebb40N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 11:49

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 11:49

Reported

2024-08-16 11:51

Platform

win7-20240705-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1544 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1544 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1544 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2696 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2696 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2696 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2424 wrote to memory of 1744 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 1744 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 1744 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 1744 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe

"C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1544-1-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e962b62a32c1ce8c318da671b6df941d
SHA1 6d8afb4952d4d6907bca9182b70240af31871f43
SHA256 e546025fed31886798f7e47b9803205206ad4fd45eacd7729e357eccde1f81f1
SHA512 400396347e1a39997b77e3724424ba4e484f6ee294c8337fcde5fb2915be1beef5aba85d29e16a7dc7c6c0bc198b229dbcd384a62e9d8338b1714af5fa8a27de

memory/2696-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1544-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2696-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 e90611d086b27c44b6e66f261974d4f7
SHA1 4056441fced54e46dd6b6fb5cfa973dd8b744c1e
SHA256 7a7a47c33d631a6df34f48cc45ef744497583dfb6c0779aa053e8e7405f6ab27
SHA512 9fb46fd73717ea9a3f836588a19202f8953b86502a82e9d2990bd3733e28667f8d0b2d9209370adc6a3651529b75c8aaab8e092505950935a276c3910f1732ee

memory/2696-17-0x0000000000290000-0x00000000002CE000-memory.dmp

memory/2696-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2424-29-0x0000000000220000-0x000000000025E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5e3bf003c304180174bb751df622f63a
SHA1 61b396b49ef2c56de6c5e46e7d1fd76f38428280
SHA256 c601cc325fa1d15c495a46e56774382477c0d2b22c56e2c02ee1588f26a66403
SHA512 54f61d6644da98718db2f7882067aa2db5bc2a771b2f24c8a4c49eafaf37eda9652878408adbd9ec4f1dc7d2f101c255ce795e5820f41ec452b9893fd76216cb

memory/1744-36-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2424-35-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1744-38-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 11:49

Reported

2024-08-16 11:51

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe

"C:\Users\Admin\AppData\Local\Temp\741ff93c21af15ccbdf259b024cebb40N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/624-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/968-4-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e962b62a32c1ce8c318da671b6df941d
SHA1 6d8afb4952d4d6907bca9182b70240af31871f43
SHA256 e546025fed31886798f7e47b9803205206ad4fd45eacd7729e357eccde1f81f1
SHA512 400396347e1a39997b77e3724424ba4e484f6ee294c8337fcde5fb2915be1beef5aba85d29e16a7dc7c6c0bc198b229dbcd384a62e9d8338b1714af5fa8a27de

memory/624-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/968-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 78859c48701f5c431bb3f0bb2e921127
SHA1 efa7431f7fa3f269ed5bb6e89449b8a72170c8b5
SHA256 1b7a2f85e5c1fed912cd41d4416ce8f15a4e376f4cc652ce14d254cf726eebdf
SHA512 bd7fc429f344f11e640191aba261511fdc479d86e75f5252eef95d260f583fd3b0e2d8dbeebb25b5cbd546922ace3ee1ec480ea09aeeb41cddab74c91cee0d11

memory/1612-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/968-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1612-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/408-18-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8ccbdd1d5f233c531c344f23f7823a75
SHA1 f6198d41151ddefd79e5e4568b1d54f97af6c9e0
SHA256 5d5b0aff2d6c7fbda3746bc4cc86ac2d1ff17cbad222123ebe9cab2cdd8fe945
SHA512 af6ebba4ab4e9a29dfd02788d84a3272f91ab5b5de3535f96362310acf7167a971e004f9accbc47e85b20aab13da07946b14a56e036c71d450e4dc5e039c3306

memory/408-20-0x0000000000400000-0x000000000043E000-memory.dmp