Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-ng7q1s1fla
Target 5dc708aa69cee869ebaf67ff489d1780N.exe
SHA256 8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a53e6b93bb9c6c65c90bf8b7920cf2a32916b6ec452b86a8fb5634000aae370

Threat Level: Known bad

The file 5dc708aa69cee869ebaf67ff489d1780N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 11:23

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 11:23

Reported

2024-08-18 11:25

Platform

win7-20240708-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe

"C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2164-1-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 69831108eb6b444b612974498367891a
SHA1 241538951c7d8a3f395beb07cf3592e3166fffad
SHA256 a717da0318c9f9f61435ddde394ac56149a601755a5b3bc8a2711a8439ab25f7
SHA512 d702ff06b6ff4254fae92a0ef31b49684368ea56f30b7f1c4e6a0cf5310f21340a653f11d574ca1aef50d7220c50c0eaba49663bb49101706e8b4b61ce9c9edc

memory/2432-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2432-11-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 9884a1654900cbe5238d434659da9409
SHA1 d8059bfdcef1f1d9adb2bb1cdf8a51127a1caa3d
SHA256 69d97defdfa517351a3dafcf3c10698cee6651bd0c60b2db332b2c0cb27a2e11
SHA512 37e0e95822790e01edda30410555f6767acccf27892601338d3402fb28f83103287f09a7d546d688788cef6ef45ccadd2863566ddae5608bcd21d34139b821ba

memory/2432-16-0x0000000000380000-0x00000000003BE000-memory.dmp

memory/2432-23-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2224-25-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 11:23

Reported

2024-08-18 11:25

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe

"C:\Users\Admin\AppData\Local\Temp\5dc708aa69cee869ebaf67ff489d1780N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1768-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 69831108eb6b444b612974498367891a
SHA1 241538951c7d8a3f395beb07cf3592e3166fffad
SHA256 a717da0318c9f9f61435ddde394ac56149a601755a5b3bc8a2711a8439ab25f7
SHA512 d702ff06b6ff4254fae92a0ef31b49684368ea56f30b7f1c4e6a0cf5310f21340a653f11d574ca1aef50d7220c50c0eaba49663bb49101706e8b4b61ce9c9edc

memory/2416-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1768-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2416-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 2a1d1ee3e3f523894efe4982d53ed7fb
SHA1 47799d4f982364014462a3c3a34338d7dc82b9f6
SHA256 5e24ab16d27327333dc00d10e0c16314053768a199478d5ae8b4817c5094e1fa
SHA512 6d49f8ab77d28fc360439687e900929b8d198c44c180954bd62d0a95c8a3e6d375ddda88a40e747d2d179269283cc0652859c3116c866682d52854f305cd574f

memory/2416-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2232-11-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 436104d9535959b9021a335467edb7f9
SHA1 173271133a660de9a9a87801a45dce29bffbf8f1
SHA256 56110cd1f933ef8c3b468fbd05fcfa783ae596e815ebe84a4c717dc0c783d9e0
SHA512 c04b3f43a88645153d667815a73a5a764ece6256621dec109a277d8ca83bcadecd2d0633d54f3f5e6b930d061f830f2abcc7efe0d12bd11f3b9b50ea68ee3af5

memory/2044-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2232-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2044-20-0x0000000000400000-0x000000000043E000-memory.dmp