Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-1sqyvsygpg
Target 4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12
SHA256 4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12

Threat Level: Known bad

The file 4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12 was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 21:55

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 21:55

Reported

2024-08-17 21:57

Platform

win7-20240708-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2308 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2308 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2308 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1064 wrote to memory of 464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1064 wrote to memory of 464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1064 wrote to memory of 464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1064 wrote to memory of 464 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 464 wrote to memory of 1944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 464 wrote to memory of 1944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 464 wrote to memory of 1944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 464 wrote to memory of 1944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe

"C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2308-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5246311195eaa78de8b60ffec74d4099
SHA1 535ff70d664c6da43e8969c2dc8fbeecebb01a8a
SHA256 a5fdef73816f85147e001ef83098a90ab772d19b8039ce5ad4db7222b059937d
SHA512 21250c466d355990352475c2ede703c8abec65b5bd4e30792307c503b13bb65a5ea61d1d1cd762f9f8582940af4884f0db89a436a97a3e1ad52bfee336372d70

memory/2308-9-0x0000000000220000-0x000000000025E000-memory.dmp

memory/1064-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2308-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1064-13-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 5305310ee399e78a545eb60f428c3dd6
SHA1 510e1151776c24b657739f6eb05d5b90831bcb09
SHA256 0ccb53ae680ce8193b0047b0be0af118cc5c93f69dd857453d76b1d041c852c7
SHA512 c20eb32f5463c73024a3f2d3ec9013f62e3019411cbcb6fe2706b81297224b74bf26450bb6064fa2ccba90415f5198bcd67f48e6f3e2ca93914f12e627e74ca0

memory/1064-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/464-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1064-24-0x0000000001F50000-0x0000000001F8E000-memory.dmp

memory/1064-19-0x0000000001F50000-0x0000000001F8E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dfde9195d33a3ede6f3b575bf70a9328
SHA1 fad0571404eb6085cb46bc865bc70e02f91193ac
SHA256 67d6e4bf83e9ea6ac9fbd3d5295729841370d7821c0ba4fe6ce21739ee6a183b
SHA512 00a58495349c82767a9b6096c25d35c8c793aa6f1bc7079cd49e62aa6e05755bb52c15b6c6be57d921a2308f6806ac45df4b0e466b16749b2fdcc48e4b3688af

memory/464-32-0x0000000001B60000-0x0000000001B9E000-memory.dmp

memory/464-39-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1944-40-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 21:55

Reported

2024-08-17 21:57

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe

"C:\Users\Admin\AppData\Local\Temp\4d1b73c5bae9b94f12cad480525b6e373828f62eabffaae296758ebed2ab5f12.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 34.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2224-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5246311195eaa78de8b60ffec74d4099
SHA1 535ff70d664c6da43e8969c2dc8fbeecebb01a8a
SHA256 a5fdef73816f85147e001ef83098a90ab772d19b8039ce5ad4db7222b059937d
SHA512 21250c466d355990352475c2ede703c8abec65b5bd4e30792307c503b13bb65a5ea61d1d1cd762f9f8582940af4884f0db89a436a97a3e1ad52bfee336372d70

memory/2848-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2224-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2848-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 5a1c505f12ae3b6064f5ceee2508d641
SHA1 12ec9cf8830fd0ca465f77c8f6e38a41068e0842
SHA256 575cdcf80742b143adb2fafdda1b035c5de0185a93fa4fb6d15dabe5ea0d446e
SHA512 f2be9219b6133fa201c163e82062f4bc3bcd0e5ab79eec8162975c4d911c72c9394cddffb9c078e9843283dabcef6a131bc42fb1af80cdeae0dfefc3bf66ac18

memory/1952-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2848-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1952-14-0x0000000000400000-0x000000000043E000-memory.dmp