Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-jwqntsvgpg
Target 4cf77acf584456cd3550a67a874ac480N.exe
SHA256 8824e5c9aa6d37005f09dab1455e3c05ec690750d0d49a911fee56bceb7fbcbc
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8824e5c9aa6d37005f09dab1455e3c05ec690750d0d49a911fee56bceb7fbcbc

Threat Level: Known bad

The file 4cf77acf584456cd3550a67a874ac480N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 08:01

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 08:01

Reported

2024-08-17 08:03

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1504 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2460 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1988 wrote to memory of 2416 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1988 wrote to memory of 2416 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1988 wrote to memory of 2416 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1988 wrote to memory of 2416 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe

"C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1504-9-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e42f9e1e9ff4b9376f8e885535faeadf
SHA1 c0e508f2bc1f6653bd7e7bbd7b336c9c3bc811b8
SHA256 106cfb986f4f128d2111e93a5b036690140db107b7e3628717f545367fd74e07
SHA512 b564d1e36b5c9f46ca037d5299a8fea155e168d9587344b197ebbd837fd4543fc6fef9819fcf12c022275f126c631df462b9ba3a21e5f1fab7c82df56236612c

memory/2460-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1504-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2460-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2460-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2460-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2460-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 96f5bc3d4ac2a89e92bbed598deef04f
SHA1 a46c68d2d9c43576105c9a0e1d19bd698a1d785c
SHA256 fa584ba5a4dd11068d2c611b175ed3a90c09ed953bd9ad9871764a9a3111ace0
SHA512 4075ba7d130e522625315a36965c4847c1b73ff73735fef3d4ae92509993d5ab882b5e0c2aa54a49ece99b130f6907d1e11a4a626dcc2e743a2ea6be7e3d3c9e

memory/2460-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1988-37-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2460-27-0x0000000000280000-0x00000000002AD000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 09046f66ea3cc742375d41254a7c0016
SHA1 f69eec58e732cf7a573d5188b65548b7de2c7b0a
SHA256 99d920424e50fdc446e09956bde005ba9dba2e7ffeccadae249c0bc22c249be9
SHA512 f4941c7cfeb859687f46c579421e9ff14e3c88a5cc5e5da2a88f0d78c85850f29e1be131998088878a510c4a13e421e910ad41f0e0101b6d5beb2a4f6c26a862

memory/1988-46-0x00000000002A0000-0x00000000002CD000-memory.dmp

memory/1988-44-0x00000000002A0000-0x00000000002CD000-memory.dmp

memory/2416-49-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 08:01

Reported

2024-08-17 08:03

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe

"C:\Users\Admin\AppData\Local\Temp\4cf77acf584456cd3550a67a874ac480N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4380-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e42f9e1e9ff4b9376f8e885535faeadf
SHA1 c0e508f2bc1f6653bd7e7bbd7b336c9c3bc811b8
SHA256 106cfb986f4f128d2111e93a5b036690140db107b7e3628717f545367fd74e07
SHA512 b564d1e36b5c9f46ca037d5299a8fea155e168d9587344b197ebbd837fd4543fc6fef9819fcf12c022275f126c631df462b9ba3a21e5f1fab7c82df56236612c

memory/4380-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 7c7f104e56ca4ffe8c28c16d16bb546b
SHA1 914f7e78bb54dc3d01d4f3b781704ca13c642712
SHA256 563ea94babed33717d8e4457be108ef5562ab28d07750c28e60951a02726c8bc
SHA512 f4ea7032db0b3008caf058063f7d7875b43d823baf626d619dbc5bf0340d2759da37a0eef8eb1c81645bd3107f4cf3965b17901370048af7356cce3a7753b167

memory/2696-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3964-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2696-22-0x0000000000400000-0x000000000042D000-memory.dmp