Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-qectzaxble
Target 5137682cfd1570081e325a18027f8d40N.exe
SHA256 f7482e028b5429a0b7e73f250db7e75465d922317bd3e926797b78b9a0eadd65
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7482e028b5429a0b7e73f250db7e75465d922317bd3e926797b78b9a0eadd65

Threat Level: Known bad

The file 5137682cfd1570081e325a18027f8d40N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 13:10

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 13:10

Reported

2024-08-17 13:12

Platform

win7-20240705-en

Max time kernel

115s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2780 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2780 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1980 wrote to memory of 2872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 2872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 2872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 2872 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe

"C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2764-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e202a15e25475446a7447f7589108f0e
SHA1 248db9c894bc58f4ecab67e399e9674339a3ccdf
SHA256 baa00850fed32a3e2a309eea277f4faad7d422736f97c4bfe0ef9e01627d8e70
SHA512 ac939bf87f4ec53b02483cce3196f4e876425724f74f70dc9d7bc091f06ac00852b34d48eff9782e39855362a5f4df4dcbcc43c8802978f3dae28753bee5b259

memory/2764-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2780-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2780-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 cca640be6d4583e9bcd25b957f2858a2
SHA1 e8f73da54625595e6895d0c79809e00e2d8f4153
SHA256 68141e37a2ee2d89c4ba2b6af1e57bd5607ed9006af66d0b20dc9b88c3ef0153
SHA512 5093ee77897ef39a7cbcfe5cfd76def9461da79278382411ed0cdf53688debc07bfc849d892b194b70041e332ebb2468af878a9a7b5de4196c1de600fa683f81

memory/2780-17-0x0000000000390000-0x00000000003CE000-memory.dmp

memory/2780-25-0x0000000000390000-0x00000000003CE000-memory.dmp

memory/2780-23-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 139f0d41cfe6d0d170792eb81ad3a162
SHA1 2de5f144843c2773035075099a0a94ebd21f4a01
SHA256 a270ca053a5d30d100010b8f541780ab40a6f4f23ecf74cea0fa8fe5801d92a1
SHA512 c647d41601affe1ab086a5d46867f3f55edd3cc439cc8c14b1e64a25e10cf6337be91a9699d4054f64c4ddc9cc1669d89735897b025dd4290a2b77c2849e8b82

memory/1980-29-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/1980-35-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2872-38-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 13:10

Reported

2024-08-17 13:12

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe

"C:\Users\Admin\AppData\Local\Temp\5137682cfd1570081e325a18027f8d40N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4376-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3244-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4376-6-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e202a15e25475446a7447f7589108f0e
SHA1 248db9c894bc58f4ecab67e399e9674339a3ccdf
SHA256 baa00850fed32a3e2a309eea277f4faad7d422736f97c4bfe0ef9e01627d8e70
SHA512 ac939bf87f4ec53b02483cce3196f4e876425724f74f70dc9d7bc091f06ac00852b34d48eff9782e39855362a5f4df4dcbcc43c8802978f3dae28753bee5b259

memory/3244-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f042282b0bf92e75e189f35a77b098f9
SHA1 8cebeb05d50c2ccdffb9ccb1c739cd747e6fc07a
SHA256 3add4e26cdca1f24e4899d0a5e12c9939ae92195396efc80562de3df6b81a9a3
SHA512 af7bf69728ccc4c040d753665d1453a3510605f4004a3e69e5841515fc06ccc8ded6a2f4634326b5c3a641ca2d7a2744745ac0b0b9f453b8edea739cf6eabcd3

memory/3244-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4324-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4324-14-0x0000000000400000-0x000000000043E000-memory.dmp