Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-19vclsde5z
Target 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe
SHA256 611c99ba02d45fb455adedfbf2fcd66ef46786e9805a60ea0b691c21e41b82a8
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

611c99ba02d45fb455adedfbf2fcd66ef46786e9805a60ea0b691c21e41b82a8

Threat Level: Known bad

The file 4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 22:21

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 22:21

Reported

2024-05-19 22:24

Platform

win7-20240221-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 292 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 292 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 292 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 292 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2300 wrote to memory of 1896 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 1896 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 1896 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 1896 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/292-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 47d23b50ebffe846cc961a2047352357
SHA1 ac1ddb731430964777d181ab3bd6c72a32b812eb
SHA256 5fd29ff0315b2f103f48d9645b705bd8d79484348562ec8df0c61a8e4fd5a04b
SHA512 1c702185a320324ee2df176cc0808da8ca55fcf946b3e8178a173cf390bf1a998a36a751bdc34e69b60b0270905eff99f38551ce698634f0bd0a1cbd38d86122

memory/292-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2908-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/292-10-0x0000000000220000-0x000000000024D000-memory.dmp

memory/292-9-0x0000000000220000-0x000000000024D000-memory.dmp

memory/2908-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2908-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2908-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2908-24-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 bca6842ed956c1c8deb3d032a37fc606
SHA1 3ad42d601f00bcc11440343d78ba096e113f9cb4
SHA256 61b7198d2b110c3867519c53677a00022a388c7e324ac1aeed68a970c2768209
SHA512 93c97be2a07dc2f805678817b3f9c5b694d92aded45fc5c8f6f5891a2f11b3f8d87c6fec247becec0a9f813b94c546fdc9dfb2b8741b98c367a9a82420b05828

memory/2908-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2300-36-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2908-27-0x0000000000380000-0x00000000003AD000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 35e1a71514f0f9e71e3900afb564f098
SHA1 5388563141e847552f4d94ad8f1c3f0e333a5b99
SHA256 e52320d1c25883a936646abaef0a1b6dae7f6405e424cbbd968a7a0b06442da2
SHA512 c2e34a6ba0b0595b6eb04d59852662648ec655f2eecbf5ae76a9c1bcfa4b07dd2129e0671bd3e4a62ed1c755629007a3addb00f8d5911dfbab19233024fd7b98

memory/2300-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1896-49-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1896-50-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1896-53-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 22:21

Reported

2024-05-19 22:24

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4a3e205eda2bf17b4814f80634f85020_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4288-1-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 47d23b50ebffe846cc961a2047352357
SHA1 ac1ddb731430964777d181ab3bd6c72a32b812eb
SHA256 5fd29ff0315b2f103f48d9645b705bd8d79484348562ec8df0c61a8e4fd5a04b
SHA512 1c702185a320324ee2df176cc0808da8ca55fcf946b3e8178a173cf390bf1a998a36a751bdc34e69b60b0270905eff99f38551ce698634f0bd0a1cbd38d86122

memory/1072-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1072-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1072-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1072-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1072-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 35e1a71514f0f9e71e3900afb564f098
SHA1 5388563141e847552f4d94ad8f1c3f0e333a5b99
SHA256 e52320d1c25883a936646abaef0a1b6dae7f6405e424cbbd968a7a0b06442da2
SHA512 c2e34a6ba0b0595b6eb04d59852662648ec655f2eecbf5ae76a9c1bcfa4b07dd2129e0671bd3e4a62ed1c755629007a3addb00f8d5911dfbab19233024fd7b98

memory/1072-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3028-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3028-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3028-25-0x0000000000400000-0x000000000042D000-memory.dmp