Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-w151jazdje
Target 03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4
SHA256 03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4

Threat Level: Known bad

The file 03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4 was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 18:24

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 18:24

Reported

2024-08-17 18:26

Platform

win7-20240705-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2460 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1648 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1648 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1648 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1648 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1544 wrote to memory of 2592 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1544 wrote to memory of 2592 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1544 wrote to memory of 2592 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1544 wrote to memory of 2592 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe

"C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2460-1-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2460-8-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b2258c10578ac6323d97bfbd4be24fea
SHA1 de9782c5c6a034a939d0de5e6defb008c3866e17
SHA256 c79b570e6b8da3823ae7b1b168b599e2f085764667fdcab34722dcbd52993a46
SHA512 513dfb5418dd56939397e002e95624e756f39de0898c3f17daa727bfc0957aa374d35754d4b4321545029891751e3584f5bc323fe80563181e3bf62928f0f60b

memory/1648-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1648-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 5f8579811fa7c74286ec69260dd99fb0
SHA1 f258404902af358bb7c20d66158f4273bccdaa32
SHA256 cd96ae7b31fc091adaa64b829e11492f04bcbbc5c65b20d46eb0e6d51e5b2e75
SHA512 10bfb057bfc03bf3dc749dce6ccbd33e640eb9362c3deb65cfd58585db71b4fa3e7303a4bb45a6a59f7b0913e9ce0b1c3ed461a3c4ec56fa61ffad6cc61bca37

memory/1648-17-0x0000000000300000-0x000000000033E000-memory.dmp

memory/1648-24-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f49a126150a363accbeaa3711d0bae33
SHA1 aac27faa1560ec8fb1c32be3221fd8d34cb1113c
SHA256 8c7e11850cdc835e144be776310860e53f8dc07dbaf6c71200f19166fb0fbfa5
SHA512 83300825cb94397da7b76325365395436201388fdeb05332db188c03cd8639dd32aefbc09d59b1990d86299b76ca61ca9472536893b740ebd393ceaf7fe7ace5

memory/1544-29-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2592-37-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1544-35-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2592-38-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 18:24

Reported

2024-08-17 18:26

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe

"C:\Users\Admin\AppData\Local\Temp\03203946e7a049459f5f7d59e6d4c076c7b2177fdbe3263af424ecb2abace5d4.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 udp

Files

memory/684-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/684-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1168-6-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b2258c10578ac6323d97bfbd4be24fea
SHA1 de9782c5c6a034a939d0de5e6defb008c3866e17
SHA256 c79b570e6b8da3823ae7b1b168b599e2f085764667fdcab34722dcbd52993a46
SHA512 513dfb5418dd56939397e002e95624e756f39de0898c3f17daa727bfc0957aa374d35754d4b4321545029891751e3584f5bc323fe80563181e3bf62928f0f60b

memory/1168-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 dd10deeba5fb45a4d40196bcc761180d
SHA1 3ea09e6d4bf6e9519f72b5d5623b380eee8ade92
SHA256 b05cb17a314b36c4223a2c222bb77c1f874ae6e34081e42ea73687928ac7814a
SHA512 7bf0574b42cb72f2d9a80aba5abb7d27f664de50769765e8fe3ed1c5a4cf3e8c5e0204d1550239de65031c2e58bc9371a4730d57bd673817d0ac9fdc73a2da57

memory/1332-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1168-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1332-17-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fb8bc8df844a6246efc3fb5686b03040
SHA1 795e1b1a432c14d1b6d4dc40217501fb7df58815
SHA256 4b69e2822918f2def453e602845590e9a174b19c985c21736233e3804abbe80a
SHA512 13460a41a5119d58c693fceb8cde04c23196e376caefcce6ee1cacf7055a10e296dfe24317e20d6ba631f9f1c11641c17b80d3d9d3303726f6cf4c4bc522b26b

memory/2636-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2636-20-0x0000000000400000-0x000000000043E000-memory.dmp