Malware Analysis Report

2024-11-16 12:58

Sample ID 240819-j7q4qstbje
Target f83fcf0ae931037ba2da178f80abcea0N.exe
SHA256 45b26778617e32b7a051224072b3c9488cd4ee1d73d121e59ef2c302c19cb756
Tags
neconyd discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45b26778617e32b7a051224072b3c9488cd4ee1d73d121e59ef2c302c19cb756

Threat Level: Known bad

The file f83fcf0ae931037ba2da178f80abcea0N.exe was found to be: Known bad.

Malicious Activity Summary

neconyd discovery trojan upx

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 08:18

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 08:18

Reported

2024-08-19 08:20

Platform

win7-20240708-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2524 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 676 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 676 wrote to memory of 1960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 676 wrote to memory of 1960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 676 wrote to memory of 1960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 676 wrote to memory of 1960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe

"C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2524-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2a4dad62c7d50a4c571623ebc0ebe7a2
SHA1 0ac27eb9014a677d4f9e2437348d3407fc07cb69
SHA256 351f944b148816f75f3320e12eea4d276513662cb76c06e783c52c7a5ce58be6
SHA512 525da0872fd472e296cfc49350927273b706cf131ab05d53a9a3b0d6795c48f62b9dd23ca9ef8f5c1328a037860e488cb864082ad44a1b482fd1ba93b8c6068e

memory/2140-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2524-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2140-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2140-17-0x00000000005D0000-0x000000000060E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 f3278d913cb85c0334d6732b7da9f210
SHA1 c1228dd98d1aa4e07c7e32d8da483a751e4e5fb0
SHA256 8d2bfe642d721a4ceba9b47e00c33ed640e07bafd75377b5b3fb947912d9efdb
SHA512 74df2068ca5e5b28c9811553a409ec2c12efa4261cba94dec83e996079858cf26cdf858540139bbbba58236d273985334156d56089c22884c04e3f768f439bf8

memory/1960-37-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b9876abae545d9dad7ebbb915498249a
SHA1 001e97b2faa97aff156c5056914398a40cb73b2e
SHA256 ad0289b69f216722a42e3f13723127fc7db9af8e9a1733b7b7c994d17602b778
SHA512 ca6e1d7ac2f4dd11fd74253a774b48a45274627c30826ae01a7a7991db93676f35a73e65f5b9509abc913d0b6bee75577f51230c3b4c7864814805bc3ea7d11c

memory/676-34-0x0000000000400000-0x000000000043E000-memory.dmp

memory/676-25-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2140-24-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 08:18

Reported

2024-08-19 08:20

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe

"C:\Users\Admin\AppData\Local\Temp\f83fcf0ae931037ba2da178f80abcea0N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/864-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2a4dad62c7d50a4c571623ebc0ebe7a2
SHA1 0ac27eb9014a677d4f9e2437348d3407fc07cb69
SHA256 351f944b148816f75f3320e12eea4d276513662cb76c06e783c52c7a5ce58be6
SHA512 525da0872fd472e296cfc49350927273b706cf131ab05d53a9a3b0d6795c48f62b9dd23ca9ef8f5c1328a037860e488cb864082ad44a1b482fd1ba93b8c6068e

memory/2984-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/864-6-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2984-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 ac3990b7ec718f172ae5cf1d180d3f8b
SHA1 c00800330d39ad4d2a4af8ee9db1751f43852153
SHA256 c61a29206b8ba984031334403b20b6e134fba658ef67a363abd7a5b772f1f2a7
SHA512 bbc57865a45a964aed01c03f67d34d38afb7bd250117a47ec9d6c9956e7ff82e2c77e23b359e894ed6282fe04a7c0ba80a53b062f630788d8df0f1c50d9e8f73

memory/864-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2984-13-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e6a3890489b535fe43e01e9060f4c597
SHA1 b5c6267c87beb1ab22b18f6461424abd113e3b40
SHA256 564fa955eb1a866e1b55140fbbe9708542d747a4f85a8f3fb35b9dafc6e39b11
SHA512 b885f43c6846fbad22561c731a31dbcfaff5dfa8a4d183896aeda249884cbcbdc7eea270fdf3a46c97e6f0950b0661b101067e2fb214b7ed516a81d861fd9a0f

memory/864-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1412-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1412-20-0x0000000000400000-0x000000000043E000-memory.dmp