Malware Analysis Report

2024-11-16 12:58

Sample ID 240819-pyebgavbqa
Target a00fe3a2c55cd63807c35ccf89171830N.exe
SHA256 06d6b7a7a3a0e29902f581826dc400375327c0737f12e6c7155c6fdde56373a1
Tags
upx neconyd discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06d6b7a7a3a0e29902f581826dc400375327c0737f12e6c7155c6fdde56373a1

Threat Level: Known bad

The file a00fe3a2c55cd63807c35ccf89171830N.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd discovery trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 12:43

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 12:43

Reported

2024-08-19 12:45

Platform

win7-20240704-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2796 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2796 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2796 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2776 wrote to memory of 992 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 992 wrote to memory of 680 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 992 wrote to memory of 680 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 992 wrote to memory of 680 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 992 wrote to memory of 680 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe

"C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2796-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2796-4-0x0000000000220000-0x000000000024D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bb782486b12b057300bc6245995d6649
SHA1 a51d6bd1925b7ceed4f312923b89b7af6b6c82e2
SHA256 4023c822a006be70851c316d090eee3f3c51abc1575d4ea944c1fecc6ead86fd
SHA512 d08a28c6b8e3c66aa687ccd4093137345e8f34c7d442adb13350d6ffbee99b11e0835f1df678385a8e816d990ac6b92ee05f1de3048047df90fe1b3a1cdb0b08

memory/2796-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2776-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2776-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2776-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2776-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 390e72c71ffcc0e42023f38bf000df78
SHA1 4c076ac741c9af64adc727e3eb3a50e48d5b792b
SHA256 160c3f1642db81de6104a9c9fa07cfa3adaabe68c1dd95c1c7f2de72d6a623f5
SHA512 c7f26bfa1cc67a8c6732c0ceaa3fa0c577fb227c100ca20a1525f5f9f976eb6455a0a65f3f4dbaefb6c41cd672e1410f10f3041c690bf74d544cf3b8a4f0694e

memory/2776-30-0x0000000000290000-0x00000000002BD000-memory.dmp

memory/2776-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/992-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2776-31-0x0000000000290000-0x00000000002BD000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b40ac8124b8a5210400154bbebf6fcc7
SHA1 d4b57b6b5906ab7f48d904e160cbfc691efafb7d
SHA256 719442bf2f0f25bbb3abf9bff516804d0d9d062362e7439c5df68bf4ebc52e2e
SHA512 011418046beb7d2754d1cf2a9f617bc4b2ba9f105a01de1c7296be3737c39c5f066e69251f5e8d1daf8dc185d74e9d8f07a1a05961bb6cafb9d1efa70e3c0db1

memory/680-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/992-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/680-49-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 12:43

Reported

2024-08-19 12:45

Platform

win10v2004-20240802-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\omsecor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe

"C:\Users\Admin\AppData\Local\Temp\a00fe3a2c55cd63807c35ccf89171830N.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/1904-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bb782486b12b057300bc6245995d6649
SHA1 a51d6bd1925b7ceed4f312923b89b7af6b6c82e2
SHA256 4023c822a006be70851c316d090eee3f3c51abc1575d4ea944c1fecc6ead86fd
SHA512 d08a28c6b8e3c66aa687ccd4093137345e8f34c7d442adb13350d6ffbee99b11e0835f1df678385a8e816d990ac6b92ee05f1de3048047df90fe1b3a1cdb0b08

memory/1368-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1904-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1368-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1368-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1368-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1368-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 26f62bb322a58c00b031516406a6c509
SHA1 59d067e9d01f6a6df1f895f8dfc55a25269052bf
SHA256 e138cd501a28ceeb522488bffaa8df14ad4cb46218bd650c2d6ad570fee392cb
SHA512 74b1251e4aff5ac9db236c68d0398380af587a46e7a46e27286c61e1b6cef962bed47b1a084389b4268b65e29dfaf28f37ebf12c4e3f5267e54be8f8374da76f

memory/676-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1368-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/676-23-0x0000000000400000-0x000000000042D000-memory.dmp