Malware Analysis Report

2024-11-16 12:58

Sample ID 240819-hcmmdsygrd
Target 56273b3463f33f24297a72d47b2cd370N.exe
SHA256 7c703e5bb2539d52b2a22c4bfd09667d25747c916b17e45a64f9a788da8f11c5
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c703e5bb2539d52b2a22c4bfd09667d25747c916b17e45a64f9a788da8f11c5

Threat Level: Known bad

The file 56273b3463f33f24297a72d47b2cd370N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 06:35

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 06:35

Reported

2024-08-19 06:37

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2520 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2520 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2520 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1936 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1936 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1936 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 2976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 2976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 2976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 2976 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe

"C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2520-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ce7aa3954c5dcdafdbf8443875850f25
SHA1 3d5d362d4ee07bcce26666ba0a38a99581b0be8e
SHA256 d2f7023e0f5893887e70f311ae4f4c4321a857509b0ef5522ab83fc25b5a1d72
SHA512 35dd7c23b771074e71e6d3d1afd5cf4c65f48eeec3c3abfc5b22f33fc27a4f473d891b3d748ae2eee9122302deb19b00f76dd3ac553485fb5cbda192766f2897

memory/2520-9-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1936-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2520-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2520-8-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1936-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1936-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1936-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1936-24-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 0ce8cedc297e182c1494c3b83ac7eb0a
SHA1 a67a247d2e1f93e399ed453ffc34fc8000dd2745
SHA256 119c0730e11693aa2e8e7b0673d6e69c020433a534521433b72f8ae696ced20a
SHA512 8d5db0e7e1f962a6293be140ea590f2c2aafe933708b51e697c3912f08e9836b0dc1cf0869c564ea4184f4c8398d4d067812e38ff24ad647edbe2a5b03d13535

memory/1936-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3036-36-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1936-34-0x0000000000530000-0x000000000055D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 28f7b42bc3a38fa59e152eadbe67e32d
SHA1 65ce4848621354701a14a380fa9903b21460e977
SHA256 94dc7b5e601bc356095a3a6371e8dc393597a946a5cddc73e497b6fb749df6c8
SHA512 f84ff50dd9b4a9166b77df75b52dfa217a5acf4ff05a13fbd4fb162f2a29980e6f46e24c821d00d914f87a4088d8e739eced088ef78963c781ba0ab6d07eece8

memory/3036-41-0x00000000001B0000-0x00000000001DD000-memory.dmp

memory/2976-50-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3036-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1936-51-0x0000000000530000-0x000000000055D000-memory.dmp

memory/2976-52-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 06:35

Reported

2024-08-19 06:37

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe

"C:\Users\Admin\AppData\Local\Temp\56273b3463f33f24297a72d47b2cd370N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4856-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ce7aa3954c5dcdafdbf8443875850f25
SHA1 3d5d362d4ee07bcce26666ba0a38a99581b0be8e
SHA256 d2f7023e0f5893887e70f311ae4f4c4321a857509b0ef5522ab83fc25b5a1d72
SHA512 35dd7c23b771074e71e6d3d1afd5cf4c65f48eeec3c3abfc5b22f33fc27a4f473d891b3d748ae2eee9122302deb19b00f76dd3ac553485fb5cbda192766f2897

memory/4092-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4856-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4092-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4092-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4092-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4092-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 7ddb7511628fba5209fdcbac68d074be
SHA1 035d9f4eb7e47100597715e5fb50c6ec0de7a464
SHA256 c2d1a10d73d708777123c0712d1c6b6d549c7f35715e572b632637137078057f
SHA512 d83d7f80600addbe063d321672131dec810c3f364ec337948a30a4ff781c73205f06cd38e5a4ef49338efbfa0e80fbb04cc8f4a05dd5be44f5f51e00dbbfd573

memory/2756-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4092-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2756-23-0x0000000000400000-0x000000000042D000-memory.dmp