Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-cyntpahd96
Target 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe
SHA256 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776

Threat Level: Known bad

The file 14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 02:29

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 02:29

Reported

2024-05-22 02:31

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2100 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2828 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe

"C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e9d56f4dc84dbcd469d308b2e492f84e
SHA1 a1e2c71b608544264fa322898efbd3972c3e21d6
SHA256 98a4075a6a9814f99c6ac464a1ab85ecbee786beb76d87131861b69631c475ab
SHA512 999f6abcb284811005942af1d7853e00c9f8fdd3350e5f41f9695bad08625674d4422fab2010cebeb124f990c11fab72f9ced6069b5e28492e108816c483b0e9

\Windows\SysWOW64\omsecor.exe

MD5 cc13e00e4531211f0e9a81b1fe95b7a1
SHA1 da68cb09a858e7e4f026da2c7bd19361a00441a0
SHA256 19c99c9cc7828a155f058e5d57fa0b2d93137387ac08e66c2feb488e95de3315
SHA512 d3a78db1b1bfd7396424f00bc75cb2985f5de2fa43e057880c629d775f5527f492527c12ccef0f1361ee24262abcc4c8bbb8ca9a8eb1f542052a916c984c14e4

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7800b3222e27273c3b7b3fa23f42ed80
SHA1 f98b742148109a437dd8ded0dd4aabb1dc968015
SHA256 e7c8cf21ee4a9e654493ebb76954aaf9e767d8df09ea7584b75d7354db316c46
SHA512 5ef4f45bd7d915a7f6cf563ef806d7689bd5c5d714de1698a063cc7e0841a26dc0957e61b92fddf3cb49a264b4953e32627bafbc6c2b4b69941d3f42e90a7baf

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 02:29

Reported

2024-05-22 02:31

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe

"C:\Users\Admin\AppData\Local\Temp\14921464e306818bf8f00c15755d11d7ffdfe0fac41d2171acf05cd96fcc8776.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e9d56f4dc84dbcd469d308b2e492f84e
SHA1 a1e2c71b608544264fa322898efbd3972c3e21d6
SHA256 98a4075a6a9814f99c6ac464a1ab85ecbee786beb76d87131861b69631c475ab
SHA512 999f6abcb284811005942af1d7853e00c9f8fdd3350e5f41f9695bad08625674d4422fab2010cebeb124f990c11fab72f9ced6069b5e28492e108816c483b0e9

C:\Windows\SysWOW64\omsecor.exe

MD5 45ca35139769a8664885c4862bdf1328
SHA1 7043f4c223f4332a7d1eb90934e2d79f9a290e47
SHA256 acc329c293773d5cdb6435cdb17046535999e6bfade6de30fcb6069242619507
SHA512 f1bc79f4dc274c28af28239d5650f66707454fa54332bd5107a14b79cd5385119ac42bb7d1f2a69112f3f1de3e2cc89911acc7cc4255f366ebe4f281c718cfec

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 eba5ad7b9322cf4da53c1526b95ebd61
SHA1 bba5614f73380729ebf4cc4e654f1039668f05f4
SHA256 2ba9b5ec56574fc2454fca9906c25b3df93c38ea4f2a53e4f30eb74a74bf5747
SHA512 60b3fee2fb3b3f95fb29f5812e80a8c54d8898c2071f8a30c818bbbe5cfffff27e49dea90386475d9801a785d9c9848068dc8100d136e4a3f3ee1113b312c394