Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-sbtpesyfmb
Target 75e4864ae7901aef12051eef9c215110N.exe
SHA256 97b5ab3137ee3b3bf7b8c840ec89487951e4ebb86454a7aabd0605f301e322d1
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97b5ab3137ee3b3bf7b8c840ec89487951e4ebb86454a7aabd0605f301e322d1

Threat Level: Known bad

The file 75e4864ae7901aef12051eef9c215110N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 14:57

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 14:57

Reported

2024-08-18 14:59

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2640 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2640 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2640 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1868 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2616 wrote to memory of 2940 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2616 wrote to memory of 2940 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2616 wrote to memory of 2940 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2616 wrote to memory of 2940 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe

"C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2640-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dace5c7936c67d52267a2da8a90fb18d
SHA1 c36e1ae6a38169bdbf8f34f9500cfd2ea45cf1cd
SHA256 84313a73921ea31fd0f27f322a60e7c961a776a62c8e241a4c7b697655e3e801
SHA512 1ce8b02454cde8dfc4abd6fe3a52367a60f6abee5cb2e6be8ece818c28a0529a83620a9209b2f415571ec75ce248be0d081555aee3b43b6579fb32f5a4523f55

memory/1868-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2640-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1868-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1868-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1868-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1868-23-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1868-26-0x0000000000370000-0x000000000039D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 b83a477276a2f3ef244838c4a0df25f9
SHA1 a331eecc78300bd678b9fbaa72b38d851fb7cd2a
SHA256 7e4f4d30c979bfeca3c2713f38ea6c88fb0e7e06d68e54f939932b06faea5cea
SHA512 864b909f875c4ec68ebb270f165dd9f084486ef10f00945aff037c495862da9ed5fe872191f3b55079232d4db6d6f9a139022e7c5829ad73297dbf155cb9ea09

memory/1868-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1868-35-0x0000000000370000-0x000000000039D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 37aef8f01a21c76d9e1c8e94301546e1
SHA1 3bc87649523b566db45c70204af96c74835f5cba
SHA256 786391c7554efc02ee5bbed85bea14f6169fa649c6caa00e1457fae4ca010e95
SHA512 462b9c89f45e97cda7c19b329084f663740a3d8a2afd3cacf2424eaba986accc9a560ea5b5f0c1bbac1cbacbc04de5faaed3a923cb871dd8cb021a0306f73660

memory/2616-40-0x0000000000250000-0x000000000027D000-memory.dmp

memory/2616-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2940-49-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 14:57

Reported

2024-08-18 14:59

Platform

win10v2004-20240802-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe

"C:\Users\Admin\AppData\Local\Temp\75e4864ae7901aef12051eef9c215110N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4968-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dace5c7936c67d52267a2da8a90fb18d
SHA1 c36e1ae6a38169bdbf8f34f9500cfd2ea45cf1cd
SHA256 84313a73921ea31fd0f27f322a60e7c961a776a62c8e241a4c7b697655e3e801
SHA512 1ce8b02454cde8dfc4abd6fe3a52367a60f6abee5cb2e6be8ece818c28a0529a83620a9209b2f415571ec75ce248be0d081555aee3b43b6579fb32f5a4523f55

memory/552-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4968-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/552-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/552-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/552-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/552-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 0fe651b60d38d1566ae73fbb92b92445
SHA1 6d3ce9d39860d54acbbe5c00c18ed08796300a37
SHA256 3b94a00e5393036f324fcfb62eb5c3f2820169ff8b376960bec52a06677e1106
SHA512 fb92f1cbe77e5b90b2b839f0d4a69bacf525d02373825f7016cc51a02893e0e5e88e44a1914762cccb3e7e2f447a880fd3b4e784c740521000a3443829722b7d

memory/4456-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/552-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4456-22-0x0000000000400000-0x000000000042D000-memory.dmp