Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-xgbs1s1brf
Target 0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28
SHA256 0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28
Tags
neconyd discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28

Threat Level: Known bad

The file 0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28 was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan upx

Neconyd family

Neconyd

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 18:49

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 18:49

Reported

2024-08-17 18:51

Platform

win7-20240708-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1820 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1820 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1820 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 292 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 292 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1992 wrote to memory of 1848 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 1848 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 1848 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 1848 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe

"C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1820-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 822a37c441eb37ecd343c04b2d50c87a
SHA1 b96e7609bca07d9287d7f5e046e41f7ed08d75a8
SHA256 a4bf3e5b80940bb8a1ebc16df082d8c369c3799e4f82cd228720ecb0467ed999
SHA512 1c14e4a26df8aba63c10aa646808485ae1aebca0fb5b06fabdab1a1689606e83898c318144cdd7119e76483272ed5f56a61b6229b3baeea43a66623672617c0b

memory/1820-4-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/292-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1820-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/292-13-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 3d5ebbee77efef0016b959306fcef982
SHA1 8334c011060225e54b2815e781a148da6d8718e1
SHA256 155d7c799203afb497ca0bdf1fe2b323311eb64b88add2484f9db4b13fe34834
SHA512 15a2f105aab463d47ea8bba3a39ff8e3cc21173486136c5f61a4ef8ab60828fdc615d7eb7c9aa7e3dade1931edde2f866f0c746361068c9e4c8ab9b1a1c785c6

memory/292-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1992-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/292-24-0x0000000000440000-0x000000000047E000-memory.dmp

memory/292-19-0x0000000000440000-0x000000000047E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 51d9fa553aa3e1bc9f163c029e1873d3
SHA1 05bd6c11135233c642f96647b6e322d4531d0f53
SHA256 f79ca6ee55f5c040af45046c948f628852f0c11b61e5546d0747e25b0d5a905c
SHA512 15ab87be48164f840b5cfa1ae8822543d3d6f5f7be666370c5bc33bbb151240c5ad1dc3eb7923a6c4c55043ad394c3048bfc1b575f7f719b33fb6b4a84ec5209

memory/1848-38-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1992-36-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1848-40-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 18:49

Reported

2024-08-17 18:51

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe

"C:\Users\Admin\AppData\Local\Temp\0bf5a6f651f91d8f3f54fb1432423cd35329b483c3b6d8a9ec9ec5a08f1a3c28.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3112-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 822a37c441eb37ecd343c04b2d50c87a
SHA1 b96e7609bca07d9287d7f5e046e41f7ed08d75a8
SHA256 a4bf3e5b80940bb8a1ebc16df082d8c369c3799e4f82cd228720ecb0467ed999
SHA512 1c14e4a26df8aba63c10aa646808485ae1aebca0fb5b06fabdab1a1689606e83898c318144cdd7119e76483272ed5f56a61b6229b3baeea43a66623672617c0b

memory/64-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3112-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/64-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 d97c6c5e159aaff40f35db64ed120c22
SHA1 23a2d11cf38b791b48215ed14b1031394a1e8209
SHA256 c22575c69de5e1a0fbb46d6c007626d75dcc211ca37e995274c6234d7b77bc85
SHA512 25c2c2c3e0c7830e296f0e628a1bb57deb5687e4bcdeef633256a1593a5bd7e3ecbf3bdef08023de916f3a0da5f3d0d9c41fd0901e6a86ab9dda163cb4c3074d

memory/1592-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/64-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1592-16-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3300-18-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 cf88b982b0a7808dc82d5b4d55b69dad
SHA1 b877f42a475ef49f2f5eac87aabc83b8d5f56968
SHA256 a8dbd29928a6ee9f514fe5814518a7f7cddd17585fc04fee7026f12193393aa5
SHA512 ab848bb2a8127c4a12d49a30c703c4cb776474c7cc39b09e7a7b2412d6a40a226d2c4c6348177f1c3edb4033af2dc852838b01e7fa3ffe0c2ae548ed63a63aa6

memory/3300-20-0x0000000000400000-0x000000000043E000-memory.dmp