Malware Analysis Report

2024-11-16 12:59

Sample ID 240817-yjrgxswdpm
Target c2788026375bcd144aec3864eb6f6d70N.exe
SHA256 215557fae843b16a6884443a1af7939811fa0481851c8a37078089dc55d3a7d1
Tags
neconyd discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

215557fae843b16a6884443a1af7939811fa0481851c8a37078089dc55d3a7d1

Threat Level: Known bad

The file c2788026375bcd144aec3864eb6f6d70N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan upx

Neconyd

Neconyd family

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 19:49

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 19:49

Reported

2024-08-17 19:51

Platform

win7-20240705-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 580 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 580 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 580 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 580 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1176 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1176 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1176 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1176 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe

"C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2684-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2684-9-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c092ddcc86cb49f10b7717775be48716
SHA1 cc8674871215185b8332522c455f1449df946093
SHA256 849103898d3341bfbc2b6a90c38ec2eeec004aed195bcb79bb2ca3a928200d55
SHA512 16ada6f32c8b8f6ee5792f80446bb23ab955ab1e49caced00984891f7a13b33070136ad547692e8e8e3fbb2d46ad206ecc0afa58e6d8be6ccbf642d2c8f9f25e

memory/580-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/580-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/580-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/580-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/580-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 68afb757a77d751e50b805a42b77ad8c
SHA1 a4a0ebb3901094cc684587755c88b58934ce4966
SHA256 78270cfe5645d829a1c31e6c453a0027bd7f51e1d23aaed11a4e8b005ff7dc95
SHA512 5b9a8e02a06950a4902919dbb80596435ef38682b8af840376198670abc01f260ef3f518e7e0438bac629cc49de8c10d9bc9915db3211670bfff0928d0b1833e

memory/580-26-0x0000000000370000-0x000000000039D000-memory.dmp

memory/580-33-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8c87bcc4aa7d09b018e0ecc788e8473d
SHA1 c79b8b9a7995c21923d4e419df15c473d9b20251
SHA256 12961e33d5f59ae9135284e7cbbc2b940f36f0d347c370f0ba6cfc605445347e
SHA512 de4ec50c9e0d3f575f0d72d839c264c66837178e05beb1fe4479d51e29d7116e2e1c317f4377635559768ecf7b9bfb7e1ccd689889ed1f29dcbb8f8c72f63d7d

memory/1452-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1176-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1452-48-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 19:49

Reported

2024-08-17 19:51

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe

"C:\Users\Admin\AppData\Local\Temp\c2788026375bcd144aec3864eb6f6d70N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/3636-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c092ddcc86cb49f10b7717775be48716
SHA1 cc8674871215185b8332522c455f1449df946093
SHA256 849103898d3341bfbc2b6a90c38ec2eeec004aed195bcb79bb2ca3a928200d55
SHA512 16ada6f32c8b8f6ee5792f80446bb23ab955ab1e49caced00984891f7a13b33070136ad547692e8e8e3fbb2d46ad206ecc0afa58e6d8be6ccbf642d2c8f9f25e

memory/1808-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3636-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1808-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1808-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1808-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1808-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 d54a10588c3408520f80189a651436f5
SHA1 e0919708db7435e7f53e0ad3c6504859e883fde8
SHA256 bf4af2909de18347805ef902b2af73970b724a2f0010fd48d088a0b7f72781a3
SHA512 ca4d9aa528770bac228fc622a941dd39bf222fbef8ad3b111f4b656c30998499264a68b71ab4580c6a32d0f9d9e66a6d0fd811fb8f3b36d3589ad2485ef44091

memory/332-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1808-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/332-23-0x0000000000400000-0x000000000042D000-memory.dmp