Malware Analysis Report

2024-11-16 12:58

Sample ID 240819-pxlddsvbmc
Target 4f8b5ded61b51de6d2d27f0e2a473a30N.exe
SHA256 feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

feb4e600299722d15fa622c2bb7ad6c8a17560729c509544fed85cba950bb707

Threat Level: Known bad

The file 4f8b5ded61b51de6d2d27f0e2a473a30N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 12:42

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 12:42

Reported

2024-08-19 12:44

Platform

win7-20240705-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 580 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 580 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 580 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 580 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2420 wrote to memory of 1808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2420 wrote to memory of 1808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2420 wrote to memory of 1808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2420 wrote to memory of 1808 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe

"C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2112-0-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 795a05ea0a425d39884d9c4208eb97c1
SHA1 3c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d
SHA256 c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17
SHA512 55682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a

memory/2112-4-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/2112-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/580-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2112-10-0x00000000003C0000-0x00000000003FE000-memory.dmp

memory/580-14-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 ae6f0b928ca26be64f734eb0ff37ae6e
SHA1 511ff1c9568b6e90f3aba9ef366bf540b6f12506
SHA256 4d959b2f8ce32d54e5717a915a6f66f4e0eb2d005615424cb370f9412c072613
SHA512 cec89a4f6f578711f969cd01d2636adc3dbccd3e4679d9c80cbe8c99a26e37dfb1b859a1482b4d1288667f82da29329e730defc48673d512becb92adaf657a98

memory/2420-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/580-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/580-20-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/2420-32-0x0000000000260000-0x000000000029E000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6820478f28bae667442e0ab68a7c6def
SHA1 82f1f543fc7a3acc19db33a9df8030daf521b817
SHA256 854a233b0716bee7324222f319a9a755b953082a5b8e7a44669914e4ad852c7b
SHA512 764ff72cffb930dab70b468c1b749f2e57844f661e412d9cb5b097f64b2e2b91fb9a62ca7cba9edf36f9e6bab1b1087a901eb8e43357f943b14656d216cde42d

memory/1808-38-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1808-40-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 12:42

Reported

2024-08-19 12:44

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe

"C:\Users\Admin\AppData\Local\Temp\4f8b5ded61b51de6d2d27f0e2a473a30N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/3104-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 795a05ea0a425d39884d9c4208eb97c1
SHA1 3c73418c3cbb03e1d1b3fd8013592f3a37cc0e6d
SHA256 c404c802a258fd59508f2dcf9413a8dfee514536b62ada156d0ee74e2b216c17
SHA512 55682933038eae5bff03445095395f883ea7df84d65753dcc70a2a073af3bcf4e634e59be3a61833eda48ff852fec011341744e2ddeb04b57891c86c81c6288a

memory/3852-4-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3104-5-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3852-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 33fd7f7ad2095c91d62e0c5ae4268ce6
SHA1 9274a1d9ba6c9fc5ed6e15e4087395c504946a78
SHA256 12b68ec9ce77ffd5d923d4b8b000cd739b2550b9ae84c57387be752064fa783d
SHA512 bb5c391e9f99331784fcd19b0d0b5a7db699a7c64a60c996f85c7fd0b44ecc74cdc7c597c348397ff41675a26e6d4c6072b7a831ec0eccbd715f336322f2e935

memory/3852-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4916-11-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 abd192b4a64298a5427850694a21ef96
SHA1 8f26e4876a37fbf6142ecb91f17fc441716c5987
SHA256 334b40a9df4a5e027483a0c44f70fbb00779801aecfe355a5646ef3b01205546
SHA512 a8d8f49b3af76eaf684eec4ef0abf671e1bc8390924979dd73df7e7a95f6eada2246553a0c9c9e75ad31a252e0a58005c9907fb608be0b97e57e9e94f38dd6a1

memory/1668-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4916-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1668-20-0x0000000000400000-0x000000000043E000-memory.dmp