Malware Analysis Report

2024-11-16 12:57

Sample ID 240816-y9dzhsyenk
Target 27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91
SHA256 27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91

Threat Level: Known bad

The file 27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91 was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-16 20:28

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-16 20:28

Reported

2024-08-16 20:31

Platform

win7-20240729-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2516 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2516 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2516 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2516 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 944 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 944 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 944 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 944 wrote to memory of 2204 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe

"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2876-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d57ae7dbb5a48670725cfa265ef81a78
SHA1 b8eb6a33c6e5783b96d3ca0c3aea252cc156d636
SHA256 4ef7b11020f5aae04ba77026cc4450d638a9b55832b7d32c5528e683830dead3
SHA512 55744eee247ce8b755f4c88c1465d2566644e0d5291b4763aee7385a692a67d0a29319613579870d12ed78589c798dab8b9ff26dfda02c954c7c6a326e9c9530

memory/2516-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2876-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2516-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 873f4c90a4c108af497fb8ac96ea56c3
SHA1 c64cf61142ed0032821dc186e748f38e69b98c73
SHA256 8b16684dd296c35565cd8b39ace2cbefd0640e7ff1ee774c3a0c44f1068f4d02
SHA512 2c3aa1531b1dc3b3128b27fa032bd987204d6975107ebd309548586dd9585b876288da9759d81a4568f4bab7c6e68c00a4051d358fe93a2881168c831659e123

memory/2516-17-0x0000000000320000-0x000000000035E000-memory.dmp

memory/2516-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2516-23-0x0000000000320000-0x000000000035E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5eec3869f5533493e5d42a6d98a2c390
SHA1 6940b7ee0097a8e3e31de25e1c2cdbc71e4405ee
SHA256 af0f7c3d0f06be06879dd0f80c6da04d335b278790cddabbce6c85de37972ce0
SHA512 868218bc80ab2b4eaae2ed99b301c54215e3ceb9926cb178df00eff50f7561bc976d4f69db300b8bcee19c0bc73e374794cad9245b6f9832628abc0fe84b9075

memory/944-29-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/944-36-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2204-38-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-16 20:28

Reported

2024-08-16 20:31

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe

"C:\Users\Admin\AppData\Local\Temp\27b8cc542d173d558bc51dc99000efe070dfeac9ec4aceab2f77434ab5a5ce91.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1688-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d57ae7dbb5a48670725cfa265ef81a78
SHA1 b8eb6a33c6e5783b96d3ca0c3aea252cc156d636
SHA256 4ef7b11020f5aae04ba77026cc4450d638a9b55832b7d32c5528e683830dead3
SHA512 55744eee247ce8b755f4c88c1465d2566644e0d5291b4763aee7385a692a67d0a29319613579870d12ed78589c798dab8b9ff26dfda02c954c7c6a326e9c9530

memory/3844-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1688-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3844-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 0420272755ad5561646342fc1fd0b179
SHA1 ca78b1bf08b66294aebf827e829a8bacb766a8bd
SHA256 a696331af671eeb19ea91ad5c0cad8c5b2e75cc0722c68f31fcbe39d8b6b41ec
SHA512 c5a92cd4eac66f698633f04f93f81492909b5f40eb897c0a88e3e3261632da01d872a51cb866aca1aa41eb63b79a91ea7deba5f4d2de92796f45807966c72389

memory/3844-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4424-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4424-16-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 62f95fa69db60d791de050e2049e1f9f
SHA1 022481edf9a76ab8c07ffaf692642a3e64d21297
SHA256 c2c192995552bd9f13bee937a8859dd97f232e6fa3d15d53b1a7eb1d4ffe8c47
SHA512 835d62bd6b9388ad702f1bea1851326fb4a95d106c493cc461a3af284e20fa0c13af405ad6a063ec4ab19e21713598901066ebe3efbdd9cc4f569d458dad255c

memory/4384-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4384-20-0x0000000000400000-0x000000000043E000-memory.dmp