Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-1bbslsxgmd
Target 442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b
SHA256 442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b
Tags
neconyd discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b

Threat Level: Known bad

The file 442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan upx

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 21:28

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 21:28

Reported

2024-08-17 21:30

Platform

win7-20240704-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2740 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2800 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2800 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2800 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2800 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2572 wrote to memory of 2988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2572 wrote to memory of 2988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2572 wrote to memory of 2988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2572 wrote to memory of 2988 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe

"C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2740-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3a34abdd8486611c2b5b75e731659218
SHA1 17646419164b1b0a0c84b53dca714ea75be3b546
SHA256 78c50b771ab47e8cda508ba9615b8ba500df4663184310c2ded091130d9845aa
SHA512 a405c4cbab505865f337110858ce4f07cbfca16de648b580612ea273efea3b6949c36463ebde0d2efea6239a42e9964db88fc9ef93b097dcda20788a67b5ffd0

memory/2740-8-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/2740-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2800-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2800-13-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 b691b67d9835f523cfd3b73d37593db6
SHA1 48e0196a3793df788585b6aff42149d7a2a18849
SHA256 34e2326f3f3a31a7e0d090fcae70d5a7fa8fd2f3a0d2768f683246cbd2f6f8fe
SHA512 9dbc30666699cd749e944c130ca251791d5e363f16615046ab28985de6e7aa1b81dc5a3f785429d1111861ab4d09bf131f7b756b425541b68596d2943b292acc

memory/2572-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2800-25-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2800-24-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/2800-23-0x00000000002D0000-0x000000000030E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8dd2141e4c80a53df3d82e251feeec3c
SHA1 f744df890da169a786e6d60308844af08eb14039
SHA256 a2de9c3a941298c95a71cd3a2c507f04d0d7aa0d77847c28442cf7e5af89a4d9
SHA512 56ed581e0fa817ada44b8e3eb1a7aad67d6ed2318a236877db26e3d2427e8382262fbd26cd722793e6e7536d10c4c74cb0d74a024a3ffd392a19501d22ff9533

memory/2572-32-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2572-37-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2988-40-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 21:28

Reported

2024-08-17 21:30

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe

"C:\Users\Admin\AppData\Local\Temp\442a7856c1eb020e56594d387dbd2cd71a0496f00b671ba519ca84b7a3a7598b.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1316-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3a34abdd8486611c2b5b75e731659218
SHA1 17646419164b1b0a0c84b53dca714ea75be3b546
SHA256 78c50b771ab47e8cda508ba9615b8ba500df4663184310c2ded091130d9845aa
SHA512 a405c4cbab505865f337110858ce4f07cbfca16de648b580612ea273efea3b6949c36463ebde0d2efea6239a42e9964db88fc9ef93b097dcda20788a67b5ffd0

memory/1316-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/952-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/952-7-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3464-12-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 3c4ca7960d722b4066e1975dea332d4c
SHA1 f6f69450769621352e16a9335eff97bbb9f7dbe5
SHA256 3817d16cab40f69efd3f64bc44b6afc2433aed2586b83f548418590ef5235fd3
SHA512 307437b943fe8d0eac3233185fb21608ed1be1c616517062565461d0c4c29f233d792b8d12dd03f5d8a178eae9d5ed4588beb85efd9a962a8851aad9a08e5591

memory/952-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3464-14-0x0000000000400000-0x000000000043E000-memory.dmp