Malware Analysis Report

2024-11-16 12:58

Sample ID 240819-mfcc2syekc
Target 8eece6f5324bf1526d6e0881d638f170N.exe
SHA256 07f5cca07cc63a5f18e9d6851d88902c49aa4447873e183482e8d399e405f172
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07f5cca07cc63a5f18e9d6851d88902c49aa4447873e183482e8d399e405f172

Threat Level: Known bad

The file 8eece6f5324bf1526d6e0881d638f170N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd

Neconyd family

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 10:24

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 10:24

Reported

2024-08-19 10:26

Platform

win7-20240729-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2848 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2848 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2848 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2084 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2084 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2084 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2000 wrote to memory of 2860 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2000 wrote to memory of 2860 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2000 wrote to memory of 2860 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2000 wrote to memory of 2860 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe

"C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2848-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f7f9a1f2f66382acc65a061290ba5f04
SHA1 6ac4dbed0e0489e9838f1cb8acec1d505e25de2d
SHA256 f9d5e0817196061b67cc568d4792a55c5e8bf22b54e28f526efb9e062dfb8511
SHA512 452dd256ef4439af62687ccfec1100d87c316ed2fa676be3d323c160bd0a6a4e6eacfe9c86560858453fe356f6fb804f9e03b9e090ce3f1518d603e9352fb0fa

memory/2084-10-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2848-8-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2084-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2084-17-0x0000000000340000-0x000000000037E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 01a653e7f9aa8bfc811e1f4ff84af51f
SHA1 639cba6d629cd95ab70f7064e79df8f41b20f793
SHA256 529d89df0c8ea72d5e9e904362d7a0dc691273e76efff5b2b8f06717a3ba3745
SHA512 7c840d11232dead28bf2de8498d527e36261f3260f7cbea562482fb7789dacb6965652bca4294b3178ef3129844a34f6a240bc35563ef114347f047f557e12da

memory/2000-25-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2084-23-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fe272471d77337aa368c3dd332719aa3
SHA1 73edc07e632735a07496781930a3f1d23fc35af1
SHA256 9d45051d123e2b379fc373f038029f18c6fcea29f9976118413a189b4455fbc9
SHA512 cc18dc52df2d8dfc918f9456f5c335d9b571b105411b9def87be63697d979c1c9d530eb16848285acec67b5f6e19f6875f101c2f4628a387ea3b7677141ffb5e

memory/2000-30-0x00000000001B0000-0x00000000001EE000-memory.dmp

memory/2860-37-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2000-36-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2860-39-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 10:24

Reported

2024-08-19 10:26

Platform

win10v2004-20240802-en

Max time kernel

116s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe

"C:\Users\Admin\AppData\Local\Temp\8eece6f5324bf1526d6e0881d638f170N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1400-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f7f9a1f2f66382acc65a061290ba5f04
SHA1 6ac4dbed0e0489e9838f1cb8acec1d505e25de2d
SHA256 f9d5e0817196061b67cc568d4792a55c5e8bf22b54e28f526efb9e062dfb8511
SHA512 452dd256ef4439af62687ccfec1100d87c316ed2fa676be3d323c160bd0a6a4e6eacfe9c86560858453fe356f6fb804f9e03b9e090ce3f1518d603e9352fb0fa

memory/4244-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1400-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4244-7-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3624-11-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 2d0772cb24774f91faafa5c182fb993c
SHA1 16b3146e2d6fcd13cacf01496f38b0e9232d4e95
SHA256 a7538fcbd69678da6d0f25c59ecaca7df44f33528b2326400830c4771e19bccc
SHA512 f1ce0445c4d1768d8156531115c4f2a83b3c92ea26e9c15366014543ffaad4226aa06758afc337e3c7ea2ebb77c54ceac847721f99be787a5139968dfbbf1298

memory/4244-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3624-14-0x0000000000400000-0x000000000043E000-memory.dmp