Malware Analysis Report

2024-11-16 12:57

Sample ID 240817-qam45szcnr
Target 23c02e2bc5d25b24d9f22d75038e95f0N.exe
SHA256 7c0ad3ed329fc1c621039a39e7fc1b0afc4bed8ce0c4a331f797f91ee37319e5
Tags
neconyd discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c0ad3ed329fc1c621039a39e7fc1b0afc4bed8ce0c4a331f797f91ee37319e5

Threat Level: Known bad

The file 23c02e2bc5d25b24d9f22d75038e95f0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan upx

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 13:03

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 13:03

Reported

2024-08-17 13:05

Platform

win7-20240704-en

Max time kernel

116s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1356 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1356 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1356 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2868 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2868 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2868 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2868 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 1792 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1792 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1792 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1792 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe

"C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1356-1-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a6b7122280eb4c321a9474bce1b009e4
SHA1 67b7360f9be698f0e0da20a50a1b59b79ad22a60
SHA256 e539507df68bc5efc7301b94787e90a74e9d853cf648cd668538ba06c7cd8d9f
SHA512 f87cc49f443d5bbcfb6d139d04601e6da44b78431ba0c0aeb73eab0ef32570862045cf836a44d4b607403fbb984d8d079395bae5b070dbd42ef850c01b73ba09

memory/2868-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1356-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2868-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 deeab86ce7850c8d8a4b77b283d99f14
SHA1 0b13647045f2f8617d18c9a7c0c03801348133cc
SHA256 97ee7a5ba5901feab9d3705fdadcf015943dd4b0b22b0fb65918d387e6660778
SHA512 b3e7e625f9b55fff011401473c5e9da03ad95df9cfa73bd475ba8533b88561cb3487daf0191aaf0531517dc53cda97fa5f81b714881c1fb3347bcfdc17ac25b5

memory/2868-17-0x0000000000370000-0x00000000003AE000-memory.dmp

memory/2868-23-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2564-33-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1792-35-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 348a669c984258af732f10dabd235d7d
SHA1 24d8d481b4a46ab3ed68939eafe83697dcbdd73f
SHA256 d7b0e5176eae183eb383170f1d23c961bbaf0a9128cf0ebad9ab2e4a9300c4d4
SHA512 85f57ec4c5f7421d2f9050deec8fe46a5e522377d2b75f09899e404926be1044be1d189c8aafb2eb21245a679e2cb9703a23039091ec544b2b4ec48eca0d224c

memory/2868-37-0x0000000000370000-0x00000000003AE000-memory.dmp

memory/1792-38-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 13:03

Reported

2024-08-17 13:05

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe

"C:\Users\Admin\AppData\Local\Temp\23c02e2bc5d25b24d9f22d75038e95f0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/3716-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a6b7122280eb4c321a9474bce1b009e4
SHA1 67b7360f9be698f0e0da20a50a1b59b79ad22a60
SHA256 e539507df68bc5efc7301b94787e90a74e9d853cf648cd668538ba06c7cd8d9f
SHA512 f87cc49f443d5bbcfb6d139d04601e6da44b78431ba0c0aeb73eab0ef32570862045cf836a44d4b607403fbb984d8d079395bae5b070dbd42ef850c01b73ba09

memory/1216-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3716-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1216-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 c0f5a9c6dd3da29caee60dbe7728916b
SHA1 6634a263404c8b2b075e290f3f5ae955ad6dcf34
SHA256 6138b2d48e0118583fe90869be2dd8cbda572633a73dfac000137b0711692760
SHA512 244145c7987a6a8fb8182d062483960b20005072d9733534c798396eb8ac4b39e0cdda5cf99ac39d3992bea31df9f72bd6c457d871c0013522fbdabce77bae60

memory/4584-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1216-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4584-14-0x0000000000400000-0x000000000043E000-memory.dmp