Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-ps8m5avcre
Target 73917747d0bb260e7f6224e9ef89b170N.exe
SHA256 7a2b390ed6c2efe72e1c7458e640555cb3e70abcbd6f6021bfd598734558b312
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a2b390ed6c2efe72e1c7458e640555cb3e70abcbd6f6021bfd598734558b312

Threat Level: Known bad

The file 73917747d0bb260e7f6224e9ef89b170N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 12:36

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 12:36

Reported

2024-08-16 12:38

Platform

win7-20240729-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 780 wrote to memory of 1820 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1820 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1820 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 780 wrote to memory of 1820 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe

"C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2412-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6699b4b99fb87a6ee0b6519ef430d309
SHA1 0bc9e17404c33fee3205a85c405fa9f039cc79ad
SHA256 7cdf086cb3dedceef0a7bcfa2b598e7013f975bc30353306eb35f4a00c22e9eb
SHA512 c603496cd615d3ff3e972b6b13cb2f09af0b2e5a659d22a7a20d7643b505d11cebf1e4b7a12bb4559a7326a0375414434c0e53080dba8d7b1fc3d370de486ec9

memory/2188-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2412-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 1c5561101bd6e6b6c1939994335f484d
SHA1 b0390cd052f4e141192941ba6be80cc188f9c258
SHA256 b3dc85093e7b43b149ee7998f46ed85721535d2e0ee31af6d43910274df920be
SHA512 c0c00f42c397f601e17da64b41825fd18934c7b3c75b9f47359e8dbf58665b5a82ce7721b85736cb9d5c5d49f47ba19351eeb63bd8a714a1a19bef6e9b9e47c1

memory/2188-27-0x0000000000430000-0x000000000045D000-memory.dmp

memory/780-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-33-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ccaee2918aa0dcc91478005f88fc9467
SHA1 da1dfc1d835859accb011c18ed9dd2afd0edce0e
SHA256 d54a20a4546cac3bc7f75326063344372c968e6cf52b2c19299adf9e940be907
SHA512 704a0975cb3650d049bb84e498129683a60bce04eb10485bcdd06b10666ab4663c66f271044872ac8ce7f8e3bb9966021ed17c579976195b9d9523f3814d2b69

memory/1820-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/780-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1820-49-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 12:36

Reported

2024-08-16 12:38

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe

"C:\Users\Admin\AppData\Local\Temp\73917747d0bb260e7f6224e9ef89b170N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2000-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6699b4b99fb87a6ee0b6519ef430d309
SHA1 0bc9e17404c33fee3205a85c405fa9f039cc79ad
SHA256 7cdf086cb3dedceef0a7bcfa2b598e7013f975bc30353306eb35f4a00c22e9eb
SHA512 c603496cd615d3ff3e972b6b13cb2f09af0b2e5a659d22a7a20d7643b505d11cebf1e4b7a12bb4559a7326a0375414434c0e53080dba8d7b1fc3d370de486ec9

memory/1272-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2000-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1272-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1272-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1272-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1272-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 4b283b7c8f5ee034d8eee44ff1eb6d07
SHA1 bd3276b851deee2577ce9f558a56a4734d713cbb
SHA256 9b9ffbff4fc9075b57ecef65234eb3d1cd54d83367fd8475d0d8cc02bb927b70
SHA512 4a2b72bf7e06a809604a14b25ad0a9e5f5a49028013d2273bf704f4285d2f545a7d4305b1ae2302ebc4205a32894f219b16ba17e0f5a163e7bc3acfc2a4157cf

memory/4140-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1272-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 192c640cd317113e9370cfc9a3f708c6
SHA1 61c837e59a32d7c62ab8f03e1eace4f341288d43
SHA256 7f39d44faa8ddfe0c6d9de3e1a2a7c800f709a10a8deae80632cecab0e5c8758
SHA512 26bb029a94666fa487f61d8b767a529bf09da8a9829d607d713d16599a7345e9e8dd11d3e2327f9036d704a492d3d9975943974206598a71c109202a20fa47ae

memory/4140-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1756-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1756-30-0x0000000000400000-0x000000000042D000-memory.dmp