Malware Analysis Report

2024-11-16 12:58

Sample ID 240817-b9srcatepr
Target 8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548
SHA256 8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548

Threat Level: Known bad

The file 8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548 was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 01:51

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 01:51

Reported

2024-08-17 01:53

Platform

win7-20240705-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2700 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2700 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2700 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2080 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2080 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2080 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2080 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe

"C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2700-1-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6f8e7c9deadd900e11ca84f973365491
SHA1 074fa5bd97fe995305e91946bcd92d4e676c78dc
SHA256 4d7b794a97e04f7e15b8ce1fb43cfa23b22c1211f18779af075d9de513f18dd0
SHA512 ea263fe4d6aee3ac9a7eb948a4c2c8618dad795bfd5c426466a49edc84ad4c8aa85de70a534ee07c9f25c5a1ea997991bd56509e8ebd5c018cc195a2533dc517

memory/2080-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2700-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2080-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2080-18-0x00000000002F0000-0x000000000032E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 678ec6d31ce74f328aba2c9fa6ee5dee
SHA1 1777f2fab49d80a381ef637e2db1ff5b77a08c61
SHA256 698d4c0db82173c6f8ee46c63fa7d84b49b39cc870ec368cc1428ae8ad2f8cb8
SHA512 292ef559b36155ea2caac9cf23269d1e177370369bb2312352baa76e5e0d2480980aae4ffd4ea6f985fda85cee04dcb62de662662d5534e3400a3e1c3d99822e

memory/2080-23-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3990e0beaf195f66027d63de4a43a194
SHA1 71f5d0df7f461d4b51953e3d62ad67c496151033
SHA256 0d5e08c2f767c340310484b77a0d40131f05340e6b207d85bc02adeb1b2ea824
SHA512 5bf881c7dd90d7c15f6f7a64d40d77313072f6b85be127d671dfe32217dea336c190d5385e7d138b5a36cecb1d8685c2fe1b173ce1126fd0ba3d7358d3d93a13

memory/3024-28-0x00000000003A0000-0x00000000003DE000-memory.dmp

memory/3024-34-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1484-37-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 01:51

Reported

2024-08-17 01:53

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe

"C:\Users\Admin\AppData\Local\Temp\8c07c9393729e2d1edd477c09e67ab3d5efba93898f5a32b8ecc936526575548.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2772-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6f8e7c9deadd900e11ca84f973365491
SHA1 074fa5bd97fe995305e91946bcd92d4e676c78dc
SHA256 4d7b794a97e04f7e15b8ce1fb43cfa23b22c1211f18779af075d9de513f18dd0
SHA512 ea263fe4d6aee3ac9a7eb948a4c2c8618dad795bfd5c426466a49edc84ad4c8aa85de70a534ee07c9f25c5a1ea997991bd56509e8ebd5c018cc195a2533dc517

memory/2772-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1644-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1644-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 b1ef11fed0240b19f8e4070257b7a2c1
SHA1 8545155b6617baf989baaf3e378836732a8ac965
SHA256 4ee174b8ec0e1b06373090d5d546acf7ce02296994126e03fed499e7f3ce84ae
SHA512 b5ed5a4d23cd693b2929fa0e1def849f6095eed32d931b8d32c09fdba644b734a1662d71af940a0b1193ede7af145ff9538374b665718f9fe422af104c2df159

memory/1644-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/524-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/524-14-0x0000000000400000-0x000000000043E000-memory.dmp