Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-fbr5da1bnn
Target b18e6c53480f6ba4d9b5abf737cf1b80N.exe
SHA256 76036422f9f5b756afea657bf47145b8c9066c9cea2702aad71dea8438427060
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76036422f9f5b756afea657bf47145b8c9066c9cea2702aad71dea8438427060

Threat Level: Known bad

The file b18e6c53480f6ba4d9b5abf737cf1b80N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 04:42

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 04:42

Reported

2024-08-17 04:44

Platform

win7-20240705-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2504 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2504 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2504 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2668 wrote to memory of 352 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 352 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 352 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 352 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe

"C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2504-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e1e6e6524ab0872df56a8f554dd93f65
SHA1 37c8a81e258b30001cfde773f567d2f97a1da1c3
SHA256 34f483c66e6f2f18b32642f5a17689bde221f091ef7e9721cb8114e741fd2544
SHA512 3af36f59f4d9299816d35e16039da66e7cbaf0060390b2273f17f263cc19236da6396a2bca343fbda82f9e79502f11dac0bae6f90c202505d7eb4b2c6ce3dcfe

memory/2524-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2504-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2524-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2524-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2524-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2524-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 fd57fca63d7ac28b2f05ece372c0d2ae
SHA1 95409672d14149ca746bb2d211e315d15f5611e5
SHA256 1556c52ab948ddd8a2564db6d52ab198a21c716243a1065b3bc8bbff7e7c8ee6
SHA512 815c94871b2a39fc789fe2e5168847711169627dbd92137372921e7265c945053573a85be37399c5cf54307f478783010964bbf962928565ef056f866649517f

memory/2524-30-0x0000000000380000-0x00000000003AD000-memory.dmp

memory/2524-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2668-38-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2524-33-0x0000000000380000-0x00000000003AD000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 684eba0ffb6421fd24e7916d61080b74
SHA1 3134d4e6a0960f280fd27c884bb8c4807db7a03f
SHA256 a75080c952e307ea0338c843ae06827638d4afc2df995eaf8501b4e6cd0c0ac8
SHA512 e61c048b864fbb1c26f0b3336479c0e98be6637425a77b972a16449e22ecc264bd6ac0cd9e95b9212a7a5f190c97966da62aada3ca40fdda40d6561a98d6dc16

memory/352-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/352-49-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 04:42

Reported

2024-08-17 04:44

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe

"C:\Users\Admin\AppData\Local\Temp\b18e6c53480f6ba4d9b5abf737cf1b80N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3880,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4820-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e1e6e6524ab0872df56a8f554dd93f65
SHA1 37c8a81e258b30001cfde773f567d2f97a1da1c3
SHA256 34f483c66e6f2f18b32642f5a17689bde221f091ef7e9721cb8114e741fd2544
SHA512 3af36f59f4d9299816d35e16039da66e7cbaf0060390b2273f17f263cc19236da6396a2bca343fbda82f9e79502f11dac0bae6f90c202505d7eb4b2c6ce3dcfe

memory/4548-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4820-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4548-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4548-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4548-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4548-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 4ca9edbbcf5ac6b108e60ec59a27dd22
SHA1 02fcde65c1bc286ee24cc7d0dccb8fb053f1e19f
SHA256 b410f257261279811bd7173bcd381616497c233d41760f2fe0dd247d7ba9fd05
SHA512 5cb979c54b9897b30818c92c0da850226d2b268a703dbb72175a90f3ac3ddb222b8c0a8f901f18144cc0d23aede5a54d0068f20c94a002f0b61ec314a06b7c29

memory/3920-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4548-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c6c7f659e6f44058728325249cd13f40
SHA1 015fc0bd311c1df4209ed68e4ecca8e30f8e9d64
SHA256 36ffdb3af2b2c89925b5d8f5da4e1d5d5ba9f01b20c37e32db41d3ecbcca6730
SHA512 b858fce1f76a98612240ae9d3938c71d560a366a6cc8030b5357e212b43e8c116cc8ae570587b7587acfb7df8ba4193ca9ec57ab0036e20de974901bc9919674

memory/3868-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3920-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3868-29-0x0000000000400000-0x000000000042D000-memory.dmp