Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-kqhxgaxbqe
Target ea8b76c118c419c26149792ca6b19490N.exe
SHA256 8a95929f6c5466eeb267fe7d5d1eb393cfe383e55eef73a8ad920695a5a7c29f
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a95929f6c5466eeb267fe7d5d1eb393cfe383e55eef73a8ad920695a5a7c29f

Threat Level: Known bad

The file ea8b76c118c419c26149792ca6b19490N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 08:48

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 08:48

Reported

2024-08-17 08:50

Platform

win7-20240705-en

Max time kernel

116s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe

"C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2260-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7af01d9c698e7985c1700dd82f184e69
SHA1 08074056d94d56a85eded112e54dd71ba960fce7
SHA256 b8c452e341e9886961879071da662877c2d8e49c719bdd0e3a3aaf1e9f392ec4
SHA512 6d5b8e3bd4e2e5dbf57caa8b0fde96bfbc285c5338bb05703202e7e91787ae548e24c250a14e9f729c6249745fe44c10c290b7862137f206b09f43600a8a297e

memory/2260-4-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2260-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/692-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/692-13-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 65b11e918e005a4207950935d28ebd73
SHA1 3b4a476943053b557dbcf4b1d47e8b1c193956cf
SHA256 72fdc1e617ffa368955540eac79389797cdb27c326196c29fc4aa8e133a7a423
SHA512 c48e066fdd5a0ec678c206ad86d054fbc64bccaeef30049fb0634d3b1c76b28ff5ef6093470dfa378b30bf6313377a267b3ec58c664943e0f9fddc2f1006d001

memory/692-24-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2864-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/692-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/692-23-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2864-29-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 08:48

Reported

2024-08-17 08:50

Platform

win10v2004-20240802-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe

"C:\Users\Admin\AppData\Local\Temp\ea8b76c118c419c26149792ca6b19490N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/3392-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2140-4-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7af01d9c698e7985c1700dd82f184e69
SHA1 08074056d94d56a85eded112e54dd71ba960fce7
SHA256 b8c452e341e9886961879071da662877c2d8e49c719bdd0e3a3aaf1e9f392ec4
SHA512 6d5b8e3bd4e2e5dbf57caa8b0fde96bfbc285c5338bb05703202e7e91787ae548e24c250a14e9f729c6249745fe44c10c290b7862137f206b09f43600a8a297e

memory/3392-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2140-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 52d93958281ac1bb435e14f0ddc2266f
SHA1 0a708a31f0e39c2a87bc4c43440344f2182f50a6
SHA256 969d9d97da36d30c7f30ca3ae26580decb152ef56c69500b5c8afad111482312
SHA512 4753c7790aa8080efe7eb79c8464e767b3d70aa74ae0289a6885b49e9db4ea4303ed4262e7f5b06bb733a60c7f1580f0d16c8242d8197d78271a7ca40cc7b05e

memory/3576-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2140-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3576-14-0x0000000000400000-0x000000000043E000-memory.dmp