Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-1lhnxayhqm
Target d9bae2c5b0211e4af81d661f5497bb10N.exe
SHA256 13221c391e1e8abb8d39a31c1ecdc3d09f275c84cde02dc8511e0ca599f86e94
Tags
neconyd discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13221c391e1e8abb8d39a31c1ecdc3d09f275c84cde02dc8511e0ca599f86e94

Threat Level: Known bad

The file d9bae2c5b0211e4af81d661f5497bb10N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan upx

Neconyd family

Neconyd

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 21:44

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 21:44

Reported

2024-08-18 21:46

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2980 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2980 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2980 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1968 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 2016 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe

"C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2980-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 28e15ebe825005fa203f31f0796e4fd3
SHA1 4439062f9b11086cf495e71d500984434769fea1
SHA256 b2d7505c13ffbe51445530ddd84af467a855bb116707ffffb47b453da45db7d0
SHA512 3937b4f343f96255b287a3d6d7f70f2013cdba9f57664ed168cfc2e173d663b1640c46974ecaac877cf233849dd6d4cd6b0ec627d26258ba76ba708affa60fac

memory/2980-4-0x00000000001B0000-0x00000000001DD000-memory.dmp

memory/3024-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2980-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2980-14-0x00000000001B0000-0x00000000001DD000-memory.dmp

memory/3024-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3024-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3024-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3024-24-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 f717fb9336e14dfe3528ba5479f06158
SHA1 9bcbbd07929ae8c8237d5a6cdf559f8a3fd543cc
SHA256 2f4915b55b3dc558faafb01ad1869415b65d91eb42037c6dbe4b01cbb2b2cffe
SHA512 22f4ff7a737ce22cc2fe3967ce2fc04f21d1169e289394580bea821255deed7be0490217ef190dcba92c5c31687f6c20614962f603fec81b28c985c3fbc838eb

memory/3024-27-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/3024-35-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c274258de3287c20ac8bd8ed05b473cd
SHA1 bb9fd75fa5a37efe12b4404a3a9794458482fb8f
SHA256 ed651414c4bbc683b48fef0ddf09a8037df2b9728e8f3456b415e22063d1a228
SHA512 93b61d5b7f3003d4a8fa0f713430d3f3310650b5370ba622951910629ee57a11e54f91ee6d8acd4e19c8c680b788f0adaa51d37c0670091dd86e7fb4feb4ea9b

memory/2016-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1968-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1968-45-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/2016-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 21:44

Reported

2024-08-18 21:46

Platform

win10v2004-20240802-en

Max time kernel

116s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe

"C:\Users\Admin\AppData\Local\Temp\d9bae2c5b0211e4af81d661f5497bb10N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2104-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 28e15ebe825005fa203f31f0796e4fd3
SHA1 4439062f9b11086cf495e71d500984434769fea1
SHA256 b2d7505c13ffbe51445530ddd84af467a855bb116707ffffb47b453da45db7d0
SHA512 3937b4f343f96255b287a3d6d7f70f2013cdba9f57664ed168cfc2e173d663b1640c46974ecaac877cf233849dd6d4cd6b0ec627d26258ba76ba708affa60fac

memory/3620-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2104-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3620-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3620-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3620-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3620-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 d58b7e408931fbaac3331d618336a931
SHA1 0b081282afbb774fd9ca9f0b6362dc23ae275b1b
SHA256 7cbd13ce9246de2b55583f0ad6f06b90153bce7ad19fafa509e85300958efbf6
SHA512 7fea48dd1446665123a19145af1e523ebd846e381c20c40b91a02bee041923da2c1b143ab329ec71d2fd2758ddf5ec08669e074a40c7eed88c8b00f8cf4fa79b

memory/1696-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3620-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1696-23-0x0000000000400000-0x000000000042D000-memory.dmp