Malware Analysis Report

2024-11-16 12:58

Sample ID 240819-bzt7eszgjp
Target 3af4c90be05e1f0a645d05215d226870N.exe
SHA256 08e1f7a0db3395be8b5b2eea71f6614470012f945a7b24bb03b694808ce1b10d
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08e1f7a0db3395be8b5b2eea71f6614470012f945a7b24bb03b694808ce1b10d

Threat Level: Known bad

The file 3af4c90be05e1f0a645d05215d226870N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 01:35

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 01:35

Reported

2024-08-19 01:37

Platform

win7-20240729-en

Max time kernel

116s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2124 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2124 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2124 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2348 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2348 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2348 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3016 wrote to memory of 2708 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 2708 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 2708 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3016 wrote to memory of 2708 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe

"C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2124-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 81e8fb10bfac735b839e186a8ed9a2fa
SHA1 020a6c104be18704815e36a6d1b6a68136112e92
SHA256 a329994d02727bd0de8cae4533c9ea1c789ee151cc6b570dd84b0b966780a896
SHA512 6c4f05fd26231cc3b7faf0a317da41bc03a70fe81bb51a2f1db8450399fcde6881ebb62b41e828a1b50a08d557272803a695a358ae191bdea3a29fded58e1a20

memory/2348-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2124-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2348-12-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 c66e3dfb27367b80d4ff9e679f1e2a0f
SHA1 72e448b83f063dfe227263889ab6da63b02d0aff
SHA256 989bdc4c3430752b92f969997ac9d4ab3fbd0aeb98b129719e053f59bd6f0650
SHA512 0306c5d97a8a12dfd2b15f90c830f9d9f8c64a5ba62bbf051d99e9b150cfd3f0447223b7dcf4a977be2572126a7446e0fafd170d0146f5f6b28223a0913f7cd7

memory/2348-17-0x0000000000310000-0x000000000034E000-memory.dmp

memory/2348-24-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bc2b620cc350e37692d39056ae6e83ca
SHA1 444be35e0f6222e53cc8b78b72537834f6ed4437
SHA256 a309a37d6ac6f197065b0f68102a413b8f97f76a3f1afaab0c2b56d016478e03
SHA512 e03f9dfeb3d419dd5cc696948456efecf141b0f078b2e5966e31acc4ae2e3e6467b39891e2226269ef2b10534f1d334bdb947c0af551b4042968c41822fa0dc8

memory/2708-35-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3016-33-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2708-37-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 01:35

Reported

2024-08-19 01:37

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe

"C:\Users\Admin\AppData\Local\Temp\3af4c90be05e1f0a645d05215d226870N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2908-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 81e8fb10bfac735b839e186a8ed9a2fa
SHA1 020a6c104be18704815e36a6d1b6a68136112e92
SHA256 a329994d02727bd0de8cae4533c9ea1c789ee151cc6b570dd84b0b966780a896
SHA512 6c4f05fd26231cc3b7faf0a317da41bc03a70fe81bb51a2f1db8450399fcde6881ebb62b41e828a1b50a08d557272803a695a358ae191bdea3a29fded58e1a20

memory/4848-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2908-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4848-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 5ddf24e7926d9b31cf3b303000065325
SHA1 2fd94459cb9ab7d20acb87e25b3eb3977a7c8be9
SHA256 0ecad4b96b38b28f40b0a78da5ef6ebe1d50c3332418469960c619056a43ccd1
SHA512 a743a864c9041cee7a2942c52d9a55664b4006cc79385d9b3f662d86e25916d553cce8477b0fa2f94dbbcdc4abbfb7c326f99b2ad7f914bc617881c2f7b6f76f

memory/2320-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4848-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2320-14-0x0000000000400000-0x000000000043E000-memory.dmp