Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-y7rslaydpn
Target 27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91
SHA256 27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91

Threat Level: Known bad

The file 27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91 was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 20:25

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 20:25

Reported

2024-08-16 20:28

Platform

win7-20240704-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2724 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2724 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2724 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2344 wrote to memory of 2888 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2344 wrote to memory of 2888 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2344 wrote to memory of 2888 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2344 wrote to memory of 2888 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe

"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2724-1-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d57ae7dbb5a48670725cfa265ef81a78
SHA1 b8eb6a33c6e5783b96d3ca0c3aea252cc156d636
SHA256 4ef7b11020f5aae04ba77026cc4450d638a9b55832b7d32c5528e683830dead3
SHA512 55744eee247ce8b755f4c88c1465d2566644e0d5291b4763aee7385a692a67d0a29319613579870d12ed78589c798dab8b9ff26dfda02c954c7c6a326e9c9530

memory/2776-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2724-9-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2724-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2776-13-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 c2d44123e5a850473345783f9c5333f2
SHA1 7e37b6fcf26cd4ad4e29196c71c308ad96c2701f
SHA256 8f5520fa8234de3c851f7ddbf319313864bd8bb9d48687a456b9f55594014df8
SHA512 5a865020c521467c6488d2bebcb3edb60c2165150663169229a70f76941be12e497a0df3ba652077b80a69899846726443b3f29030ef517df769c42b8d660f4f

memory/2776-25-0x0000000000440000-0x000000000047E000-memory.dmp

memory/2776-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2888-36-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d115c92484dcf2607d9f55150c808b58
SHA1 62b1e3fac2de2629133e70a958ff22d2305d2dd5
SHA256 01ef9d4ed50d7b436f3717a1504f0061c061c340b1f2c5dbd089ead781476f40
SHA512 37b8cce138b1ff7f6671c2ea9514b7e81f848331b7373257aa95e49e64bca189b09fdcf3ddfe230a66ee16a9876da379cd1e5dd4d844391cef5ad38d789b4b77

memory/2344-34-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2776-38-0x0000000000440000-0x000000000047E000-memory.dmp

memory/2888-39-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 20:25

Reported

2024-08-16 20:28

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe

"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4484-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4540-4-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d57ae7dbb5a48670725cfa265ef81a78
SHA1 b8eb6a33c6e5783b96d3ca0c3aea252cc156d636
SHA256 4ef7b11020f5aae04ba77026cc4450d638a9b55832b7d32c5528e683830dead3
SHA512 55744eee247ce8b755f4c88c1465d2566644e0d5291b4763aee7385a692a67d0a29319613579870d12ed78589c798dab8b9ff26dfda02c954c7c6a326e9c9530

memory/4484-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4540-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 36ba908690814c84fbc9585b039614b7
SHA1 7c51deddc486a538eacc83b1561ae20276206e08
SHA256 5b6b0162b0a1ca44fe402b32304149bb0666f65e64c90ddfbb5b2cb469ee6d0f
SHA512 4bef244163f91a67ebbcaba89d8241511a254b0bb9644423de10460f6e444774657a992276af0512eaf5e558a6bd19e22bd64d137842b168a884cc0ce62d762a

memory/3252-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4540-13-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f46c822678bcd43e2f81c41ec265d922
SHA1 8058ed8facc3bd01a894b6ff14f5d7ef95b00c16
SHA256 a032951810b71554d8742114a756013ac5923c262b61b96b022eb9bc5115a9fa
SHA512 7c68a9605412c56fc5fe9a9458cb1cf9fcb9a3ca5a7228bc1a7be5fd81da464d1cd167cd0abf5ae2c9761c24c17a7a135ac34829844774cee1fae9c4e64bd91a

memory/3252-16-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2020-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2020-20-0x0000000000400000-0x000000000043E000-memory.dmp