Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-q7e5ssyhrj
Target 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe
SHA256 3cd00bd31b753d832e83b5c7d1f7fca948706dd01144621a4a019322910e47c5
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cd00bd31b753d832e83b5c7d1f7fca948706dd01144621a4a019322910e47c5

Threat Level: Known bad

The file 2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 13:53

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 13:53

Reported

2024-08-18 13:55

Platform

win7-20240729-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2540 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2540 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2540 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2652 wrote to memory of 2532 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2652 wrote to memory of 2532 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2652 wrote to memory of 2532 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2652 wrote to memory of 2532 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe

"C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2180-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 01507f9c34d2bcb425195c22b6709616
SHA1 79e5a722456fb50da995b42d6a7a92f681b8bbe1
SHA256 be50fac53ce2a545c5eab79e842b66b84b6eb38b642aa73e25c263241a294370
SHA512 9dd74aa2b561249219c9c9f84f9aaef233ee847d718dc97174fc5ff9ad5012cf2c061750a489670bb30de38706803e0f3fdcdb2bedcb98ec5d588b6101498cdd

memory/2180-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2180-9-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2180-5-0x0000000000230000-0x000000000026E000-memory.dmp

memory/2540-13-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 b3c5a5ec068b86768c5e7e6065e84067
SHA1 78b6058021333064e9f5779644e634c716f160a5
SHA256 8e799452a393cb492a1f595f6b6f6e21141a059db9a437a574726c6a6917eb5d
SHA512 4526cee620ebb52c5e32bdf32711a0d1d59b644e730f9c81f8ca85e4a82e6e1ca38f036a62955c2b4bc07729e540ca7cdc568866661077a80b1bfe9ecb39bd23

memory/2540-18-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2540-26-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2540-24-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fd414f9bfa30ff075d420b951e769aa9
SHA1 61e3f7ebfac06b51ccdb7293ee73a64591375199
SHA256 9e2ad5ee5014a34333a60d28ca69ab3ec78e89499e6a39494542c65adaa91934
SHA512 20fddf2effc6a9b37a77b8185aed94989e3869f21260165aaa027f694b126047704cf06db1738f6eeb8485f3f0b5a46ed8a93c01d25575c77e16bc32652a333e

memory/2652-30-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2652-36-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2532-39-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 13:53

Reported

2024-08-18 13:55

Platform

win10v2004-20240802-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe

"C:\Users\Admin\AppData\Local\Temp\2610bcf86b11c2f8aea5d2d8a0b9a5e0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2496-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 01507f9c34d2bcb425195c22b6709616
SHA1 79e5a722456fb50da995b42d6a7a92f681b8bbe1
SHA256 be50fac53ce2a545c5eab79e842b66b84b6eb38b642aa73e25c263241a294370
SHA512 9dd74aa2b561249219c9c9f84f9aaef233ee847d718dc97174fc5ff9ad5012cf2c061750a489670bb30de38706803e0f3fdcdb2bedcb98ec5d588b6101498cdd

memory/920-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2496-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/920-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 fa176ce4775526ff072b0d42e28d251a
SHA1 83a87b5410bb5697fcde50ccc51ff8e1d800043c
SHA256 52c36340b588501df7a855304449ab419c1f7d3699f9016b34f651af400aa7b4
SHA512 4700fd6387f637c30ce55b4d161dcc4d8987124dbb81d9cac367fbd7c8fa371b1e6bd0511b70c9e00e414331f492fbf61aba7d188379f765dfc5e3aa7e995425

memory/920-13-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b2e7b6dcb7493029d9b123ad28b40655
SHA1 9cde0e8ee0146722c65b34f2f66f60a0d970f7da
SHA256 4e738f7cf5146f85537f99cfd5a2bbbe5b12502b8e1c71fc5a6a3eb6d5fedf1f
SHA512 e708e20e53b7fe120a44e23dca3ff712e410641c72bf8ab1c9e87e200737f4925f4c2d27ee575e9523ae23f32d53463ca3ba5c1ba375fae6686058b6ff040ac5

memory/3936-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4812-19-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4812-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3936-20-0x0000000000400000-0x000000000043E000-memory.dmp