Malware Analysis Report

2024-11-16 12:59

Sample ID 240816-vmsydawera
Target 5b6c7474496516e1b906a62fb42adcb0N.exe
SHA256 f7b6791603107af9bc76001ecc8113bafe0d8b8454999adf0ba387de79de6f63
Tags
neconyd discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7b6791603107af9bc76001ecc8113bafe0d8b8454999adf0ba387de79de6f63

Threat Level: Known bad

The file 5b6c7474496516e1b906a62fb42adcb0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan upx

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 17:06

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 17:06

Reported

2024-08-16 17:08

Platform

win7-20240729-en

Max time kernel

116s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2464 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2464 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2464 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2464 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2520 wrote to memory of 2584 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2520 wrote to memory of 2584 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2520 wrote to memory of 2584 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2520 wrote to memory of 2584 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2540-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 920bd830dd09045b91b3703bc715037a
SHA1 7e183e8dec67773df8cf705507cd98760c23f0f8
SHA256 b66ffc4daff7e74c43eaf56e5c414b205d964f5e190b33a49ba690b379dc7c7b
SHA512 1522b2ec474099fc796b87b34eb4e2a23956e783cf46044c34b00fafd6bab653776fa024dd2170de6d4f359d73162c3304e4cb68fd9eb8ed852b1d2501a343c0

memory/2540-9-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2464-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2540-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2540-8-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2464-14-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 01844ead966ebb2f866d20e27b178e7d
SHA1 dc35ea91324d10405bbc7137183c718114483927
SHA256 49fb919d5a80d02a27723ddb1d456417d97e147664306e79fa983d81e3cd3c28
SHA512 778e55c6a8e1231c89d54c91e49794a1f0f39c03c620fa4edd021129875dac5d980f2c6ee5cb055bcbf2b342f622cffb3e16988c0cb1a2e9570cc9fa19971462

memory/2520-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2464-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2464-20-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2520-32-0x0000000000220000-0x000000000025E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5c946cbf07840a44958684d52a20b6f2
SHA1 274090553d8c12729d9d11745863849bd2ad99ce
SHA256 e43fce1f16ac42448352eae9c6341349e63698b24e3b344dcc31394616fca3bc
SHA512 4a9ad24d0c7acbe137283f7e82046bfbd42eac9a2885201294992268248e0ac5a641cdded648930a1dfc58da217793171606f94094fd781d33882104393aa499

memory/2584-38-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2584-40-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 17:06

Reported

2024-08-16 17:08

Platform

win10v2004-20240802-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe

"C:\Users\Admin\AppData\Local\Temp\5b6c7474496516e1b906a62fb42adcb0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1684-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 920bd830dd09045b91b3703bc715037a
SHA1 7e183e8dec67773df8cf705507cd98760c23f0f8
SHA256 b66ffc4daff7e74c43eaf56e5c414b205d964f5e190b33a49ba690b379dc7c7b
SHA512 1522b2ec474099fc796b87b34eb4e2a23956e783cf46044c34b00fafd6bab653776fa024dd2170de6d4f359d73162c3304e4cb68fd9eb8ed852b1d2501a343c0

memory/2436-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1684-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2436-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 a1522cd56d073f343c50ad74e1017639
SHA1 4dd455a6c31790e7e4177c96d86a90f2135f5a75
SHA256 5c67feae83ebeda61a1153ed0b202651ccba8e60511db68291d757a22689df8c
SHA512 98195499f4bbf23dd7c482bd7bc3b10a653d0f4f195592ce159f214e03d7c8b76945877f30fe781662f55eab682cec002bfee2fa8edc8687fd5cd4fd0415a8bc

memory/716-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2436-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/716-14-0x0000000000400000-0x000000000043E000-memory.dmp