Malware Analysis Report

2024-11-16 12:58

Sample ID 240817-fcq9gaxgma
Target a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe
SHA256 b52bb4ee064ab8113feed2474060b6a6af169a80cd7f318d0e36d822ce9a19b4
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b52bb4ee064ab8113feed2474060b6a6af169a80cd7f318d0e36d822ce9a19b4

Threat Level: Known bad

The file a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 04:43

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 04:43

Reported

2024-08-17 04:46

Platform

win7-20240704-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2704 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2704 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2704 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2780 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1244 wrote to memory of 1544 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1244 wrote to memory of 1544 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1244 wrote to memory of 1544 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1244 wrote to memory of 1544 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe

"C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2704-1-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b8687d7c0e82a564f1bd02cd3b3c1445
SHA1 9b7d6ffc5d674ab9b7a11ea69e7dd1df44f787f3
SHA256 6417cbc82d970424eea8b85c0edacc750f07fddc69ab478425418ddd52711c51
SHA512 9116202eb4de4aa013f5fef567d6df97a610f1d3a6c06cd317f641522ba2d7a91425257f902a892731b3d2829df8a8d4c0af311839cbb863f5e018836864454d

memory/2780-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2704-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2780-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 f43b4c857403d2fc5c4948fa6905d751
SHA1 39b5a331e848100b70e861590119c5ec4c33f568
SHA256 3a55976b1a21102c3872fea5cd017cc4f5d274dbbf59e4b59858916699d7c15c
SHA512 b9c42505fbbb1b6d55a37118e8b24ecc8be6dc705507b1af00d03403978c8ccb3a048f88f509caf705bf2198b8c2322e4ab9085261b4dc1aa509d29a9fbf848c

memory/2780-17-0x0000000000330000-0x000000000036E000-memory.dmp

memory/2780-23-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1244-29-0x0000000000220000-0x000000000025E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 99473d0f396a7891c3a19db9c1fff76c
SHA1 678a2d6779eb05d5709fe9c1724699acca05704b
SHA256 03090b2b333b7b03ed139e931f11a58cba92f7b74c8304192ee775f87b8804c2
SHA512 a727387465f27dd78fe8d91792489fc26122954ae36d0d1a308dbed7de0f9714c39e7a47e0ea3e9e1792e93b7216cbfd827edc770fc1fc53e3dbaa3fc854e335

memory/1244-34-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2780-37-0x0000000000330000-0x000000000036E000-memory.dmp

memory/1544-38-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 04:43

Reported

2024-08-17 04:46

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe

"C:\Users\Admin\AppData\Local\Temp\a2b4aa0d1af367a4e2eaf80dc8eb5980N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1624-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b8687d7c0e82a564f1bd02cd3b3c1445
SHA1 9b7d6ffc5d674ab9b7a11ea69e7dd1df44f787f3
SHA256 6417cbc82d970424eea8b85c0edacc750f07fddc69ab478425418ddd52711c51
SHA512 9116202eb4de4aa013f5fef567d6df97a610f1d3a6c06cd317f641522ba2d7a91425257f902a892731b3d2829df8a8d4c0af311839cbb863f5e018836864454d

memory/2076-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1624-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2076-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 8d623de1cb8f6175947dfe02cf64be20
SHA1 c509821b167517f09bfd553967fc8d5ad926163e
SHA256 79da132d07b8ffaaa3647f6cee7b9e4d5827edf1fa265ab7540b3693661a0515
SHA512 8f81d3aacaabf67c46ce89716f0f004a9bb5aed78d5f79fc85a2fab2e61db1be1bce4b2db5393f672369bea00d460d0637b9886c4de69c7247ebd95cc286d765

memory/5092-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2076-13-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e269ad8f57efcd7b0e50e2bc7f1fff0d
SHA1 6902c1fa01420ab29b55ed5235a1452cff7415e9
SHA256 05cfc5e785ef8483338b24a4887479ab156f4d6d81e0ee20c39b38774e36aeb3
SHA512 f0bab4217be8f56f025d892244ce967dea757c6669b7bba72e218a02ec582d643706b2ae7b3334a58337fcbce1c9017189573252001c1434a6741c147d4daed9

memory/5064-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5092-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5064-20-0x0000000000400000-0x000000000043E000-memory.dmp