Malware Analysis Report

2024-11-16 12:58

Sample ID 240818-z98dssybrj
Target 08f7af31a6ca42eded90eab08318e890N.exe
SHA256 0b617e1490512f32019e189fab1218f24ff7a80f966a7b74e2cb5c947bb62cec
Tags
neconyd discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b617e1490512f32019e189fab1218f24ff7a80f966a7b74e2cb5c947bb62cec

Threat Level: Known bad

The file 08f7af31a6ca42eded90eab08318e890N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan upx

Neconyd family

Neconyd

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-18 21:26

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-18 21:26

Reported

2024-08-18 21:28

Platform

win7-20240704-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2956 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 1444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 1444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 1444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 1444 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe

"C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2192-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2ce6b264eec58ad040f9e544298cf1d3
SHA1 b245acfc3858242b4a0f27a0da969cb77d42b1ec
SHA256 10f50d48c9656c6a13fec386f82fd69f2e316275d0119a2af381ade08bf34082
SHA512 eb1b94fe24d834c323bebd9723e0e2884cb1d72ca8744d433b355f1eccce2144c5dd84897f99932ea6427dd14d08607c5cc4110aa7bf3f12b9806eca89b10a52

memory/2956-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2192-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2192-4-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2956-13-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 de151d2fb3a5b32472bd9ddc784dd5a1
SHA1 bed906fdf3c900b9600eedf5d4d15680f12ad86e
SHA256 d966b851b5eead6b75482cf02460d71c79e5f5d6e6046e01e4028179a8af0814
SHA512 62c67fda8250d001dea5d6b08d6170048f87681faf926518e7ecee352c3a7b1bda9288f9f3d1a07b88283f2d427d928df9f6f97b48ae984f3657245f66afa7c9

memory/2956-19-0x00000000002A0000-0x00000000002DE000-memory.dmp

memory/2956-24-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8da42f22b567b9dfc42ffbe527ad0cea
SHA1 cfa6a70ac55f14ba710fbaab7fb1b5801dba259f
SHA256 2e6c3c59066818c82bed1d5f0bfd7e65c6fe34be9a4858c558e8e9ffc38d294a
SHA512 d446db2a8a085092be3be501c8a6abd37b3ee13c2ddd9cfbe19895d554d3d15df7391e14ae2c967dc14d87709e75105135c21bf84cd930f3cfb731913eb701ee

memory/2776-34-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1444-36-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2776-38-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/1444-39-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-18 21:26

Reported

2024-08-18 21:28

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe

"C:\Users\Admin\AppData\Local\Temp\08f7af31a6ca42eded90eab08318e890N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2548-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2ce6b264eec58ad040f9e544298cf1d3
SHA1 b245acfc3858242b4a0f27a0da969cb77d42b1ec
SHA256 10f50d48c9656c6a13fec386f82fd69f2e316275d0119a2af381ade08bf34082
SHA512 eb1b94fe24d834c323bebd9723e0e2884cb1d72ca8744d433b355f1eccce2144c5dd84897f99932ea6427dd14d08607c5cc4110aa7bf3f12b9806eca89b10a52

memory/3232-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2548-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3232-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 047f0b500e103a71b9aab944fa6fd20f
SHA1 56d33c0be1c047c9a14037b81b0dd26670e7b069
SHA256 6f6ff46db24f8be694e323b0d887b1e733ef0457895e6b7ffeabbe07888d373d
SHA512 8f22966126c93229a246b422289f397c1304a64d9f5bd96f34049f07dbba3c88e126c65688d1ac8b0324f9fe31dbc0b32d0e3e2a24bd2ce9bb88ee7de2581548

memory/2956-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3232-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2956-14-0x0000000000400000-0x000000000043E000-memory.dmp