Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-pt5mvsvdmb
Target a43f45f3744a0a746e92ada850e2bdf0N.exe
SHA256 32ec54cef7d6ced2cd5c4b62eea890742f53724913f402df4020e4627527604d
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32ec54cef7d6ced2cd5c4b62eea890742f53724913f402df4020e4627527604d

Threat Level: Known bad

The file a43f45f3744a0a746e92ada850e2bdf0N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 12:38

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 12:38

Reported

2024-08-16 12:40

Platform

win7-20240704-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe

"C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/3032-1-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 578ac5f7a098ff228b0276d35fc47705
SHA1 60d90c22308f5e2615497b95162d20e260abc195
SHA256 e6c53763e22f796d6977d1cefa6fc9c608fe4de2ab2596d1c4b1a2cd4cb04ad3
SHA512 4128ce085e844fc44887a5946601250075c89d96a8c4df460254afc66900fa2f2591a93c585cdb3144cb79c0c34a8cf1c9e42972af8defa508d41ed5e2d49c84

memory/3056-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3032-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3056-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 3e387bee6cf8fb1b9fdfaf4e3aca4e38
SHA1 cfe4f0d8607ef0f0d0db669a0689fc9d5b21ff5f
SHA256 7bba8b6a2285531da99890a6b4657cc4fd1474b47580cc238768a508bfc7faeb
SHA512 d334eb3ff4d6e2a4298170112d277346c421f5a1f779fa39dafbd5c99a9a582c9b0a273d9a55b40f5e774b9bd06d718c3a3023b542627bec4c05b2b12fa7e260

memory/3056-18-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2164-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3056-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2164-27-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 12:38

Reported

2024-08-16 12:40

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe

"C:\Users\Admin\AppData\Local\Temp\a43f45f3744a0a746e92ada850e2bdf0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1552-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 578ac5f7a098ff228b0276d35fc47705
SHA1 60d90c22308f5e2615497b95162d20e260abc195
SHA256 e6c53763e22f796d6977d1cefa6fc9c608fe4de2ab2596d1c4b1a2cd4cb04ad3
SHA512 4128ce085e844fc44887a5946601250075c89d96a8c4df460254afc66900fa2f2591a93c585cdb3144cb79c0c34a8cf1c9e42972af8defa508d41ed5e2d49c84

memory/2452-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1552-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2452-7-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4932-11-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 82267cb77c0f7cabcf9ae1cb91f3ac41
SHA1 d0362de4a0677d390fece5499384dc93110ee35c
SHA256 69e66f70f2d4bc8ef440a4e7536e8d5c0f4f8dd2ce67aefb7fd12fd1598f63dd
SHA512 482246623ce5576c46e918bb88faa4eec36895c1c5ef42990b8f2b2f6909f9fceb876fb1da3b46eea9f5c897d96cafd79a2fca35dbd0802b6eea3b74052cce17

memory/2452-12-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3c4ae9e20cb3049d350c18af85ccade9
SHA1 9ae9ff6584ceb8ac9725faffb4dbe112fae6986a
SHA256 857b598db1979a1da31b0217713ff4544cb4d0aed4fb3aa962974d47fa370bac
SHA512 7bf9fe90f9783946ac7a53bf9d176c37ac82867a6e0f4a49034002201cdf70af020b2f8c345565749ad0075589ec1e5e3cc5a41f0bfde26b09e3190f23e9711e

memory/3908-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4932-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3908-20-0x0000000000400000-0x000000000043E000-memory.dmp