Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-l6ytaszfke
Target 0a797fda9c5686f35bc55e150c12fd50N.exe
SHA256 ec641aca9f93d2df3c8f5595e5f7a9047754f1acfde0c51d446fc8bc56255c0e
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec641aca9f93d2df3c8f5595e5f7a9047754f1acfde0c51d446fc8bc56255c0e

Threat Level: Known bad

The file 0a797fda9c5686f35bc55e150c12fd50N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 10:09

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 10:09

Reported

2024-08-17 10:11

Platform

win7-20240704-en

Max time kernel

115s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2400 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2400 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2400 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2300 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2300 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2300 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 684 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 684 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 684 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 684 wrote to memory of 3016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe

"C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2400-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2400-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2300-11-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ffa946d3f505cc7630b057cebc518b80
SHA1 23527f9c6d03122864cea46adde43df16e503bcd
SHA256 8b688f0d94a43e8115c7e0cee2f0e6b229c760b12b70b91d803599020a8e5504
SHA512 877baf971a3a3ee04efae3a8e63cbbf9cf996656d78cc7687ac098bf33be1fa5e5b08351780ec0e20798c49ff7eca78cf947ccc0fb2d79f1d757678979ba63cd

memory/2300-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 91a4c62e64847fbbe1894e5ee0e8436f
SHA1 2b7d2839ef90a747b1d0030786bd969708523f35
SHA256 542dd86b9128198fcf81a1066aeb9c02d7057e569f28761a88e68c0e30285378
SHA512 7721e045afaab17754d278df899f35b7615175a6023d7044b46fd356b6a2c87cd08abc3096a2df5d8ee645b43e58a4a01c115f3ab8b6c0ecfd13326bdb0385e5

memory/2300-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/684-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2300-23-0x0000000000390000-0x00000000003CE000-memory.dmp

memory/2300-22-0x0000000000390000-0x00000000003CE000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e9ad2b129c9dd2c3bc002526ef3704c1
SHA1 4c3270663731d6fd348add9c32ab2d77d1a99cf6
SHA256 7049cccfa0be2afd75f67b327c37490b8e2f02056a8a8d51f6e92000f89b1e86
SHA512 7ce45ae6a2032137c9fb6e849dc832d7559fc95b49f57abebf0d94c89ddb953cfef82c26ff4383ee1e10457d94dc620156f6091193acde42fe513f6ef783642f

memory/684-30-0x0000000000220000-0x000000000025E000-memory.dmp

memory/684-37-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3016-39-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 10:09

Reported

2024-08-17 10:11

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe

"C:\Users\Admin\AppData\Local\Temp\0a797fda9c5686f35bc55e150c12fd50N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2952-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ffa946d3f505cc7630b057cebc518b80
SHA1 23527f9c6d03122864cea46adde43df16e503bcd
SHA256 8b688f0d94a43e8115c7e0cee2f0e6b229c760b12b70b91d803599020a8e5504
SHA512 877baf971a3a3ee04efae3a8e63cbbf9cf996656d78cc7687ac098bf33be1fa5e5b08351780ec0e20798c49ff7eca78cf947ccc0fb2d79f1d757678979ba63cd

memory/904-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2952-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/904-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 2b958f0e1177ab6af7901580121b3d8b
SHA1 9282d1b1506c6f95bd7605fb84c63ec586bf2b2d
SHA256 e380fafa019cccf80e677331439309a1c14b3415e60be78245a5987aef8bc63b
SHA512 e593d253111289389431233d2b11814de7e4ba51128e9666ab7483f28ae1a0febbd78d490f5519bd749f14c662c07dfbb3e3afd1376ec61b3bb28e08d51cd4bc

memory/4892-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/904-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4892-14-0x0000000000400000-0x000000000043E000-memory.dmp