Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-pqanbawfqp
Target 9ef5e0aff3983414d5fc6ee69674a8a0N.exe
SHA256 6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a824ff9c5f41f293a0a28c535f5684dcc57cdfeccbc7ed8db0ddc76e877c180

Threat Level: Known bad

The file 9ef5e0aff3983414d5fc6ee69674a8a0N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 12:31

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 12:31

Reported

2024-08-18 12:33

Platform

win7-20240704-en

Max time kernel

115s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2296 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2296 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2296 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2296 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1224 wrote to memory of 1496 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1224 wrote to memory of 1496 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1224 wrote to memory of 1496 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1224 wrote to memory of 1496 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe

"C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1668-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a2b4a322bc57c590c56a4cd09ed4c4b4
SHA1 af712caf7817eca258eac0742d8d19786f0d7a04
SHA256 dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc
SHA512 5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd

memory/1668-9-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1668-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1668-8-0x0000000000220000-0x000000000024D000-memory.dmp

memory/2296-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2296-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2296-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2296-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 2d4005ae8a6f116161a2c1e0bd3b77e9
SHA1 6b7879433a22b6cf6b3fa4ad9a5083a92cf38129
SHA256 d465db466806e9cb1ff1e6879482b29af4741bf514701f35e636a9afe10857aa
SHA512 d32983bc8a17e1c27e054a6f2020b08d8dcdb151130ea271b55ae8c27fb777302238eef2025e2f1f55979758a8cf26166e1bd844cc6544b88c48c5c8763cb993

memory/2296-32-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2296-34-0x0000000002790000-0x00000000027BD000-memory.dmp

memory/2296-31-0x0000000002790000-0x00000000027BD000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6aaac85118419c336e917702517f0ce1
SHA1 b255835b05a874de37ad191d6c58cf942c652194
SHA256 072604ec35625142fc1044a11cf68a0615b0c9b4f3ad19ab66475aa9c1f42f27
SHA512 0beef2523d7fa1d74639fc26a10e8873f24b0ed40121702ad7adb6eb6d2dbbf41df329ba8239b61c82901fb01a8e56353e7bb8bba57ac86d1977e5d901f26172

memory/1224-39-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/1224-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1496-48-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 12:31

Reported

2024-08-18 12:33

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe

"C:\Users\Admin\AppData\Local\Temp\9ef5e0aff3983414d5fc6ee69674a8a0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1360-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a2b4a322bc57c590c56a4cd09ed4c4b4
SHA1 af712caf7817eca258eac0742d8d19786f0d7a04
SHA256 dd48e096bbbbbd2e4e186211204c30644f52bbfb15b7f9d7830c8a15c15ec0bc
SHA512 5049565bfec82f3aabe027569a23449b13b6aa411e5ff9a8226d3bbd6e352acd0fa7f089c615e5b8df226321578789a749a39979c1570825d2fd87fcf33b2dcd

memory/5004-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1360-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5004-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5004-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5004-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/5004-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1384-19-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 d3d933d5522db2197e9d43c1ddac126a
SHA1 3df9f95a01aaab85cb88d21fd03f7d58e300afb1
SHA256 ca0f34c55405e8366cf93ab54885b02c3dbd9101eaaf9706bc0447aa43d05692
SHA512 1af87fa818af16d1a4aeb48e78fd07a7a5875e4a5cca6dc5c1458137ee4015c7538aed3ea6bbf5fa53b077889ec2a9698dc1a91b09f6b272e790df2ec4199318

memory/5004-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1384-23-0x0000000000400000-0x000000000042D000-memory.dmp