Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-1kbtzabd6v
Target 419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe
SHA256 78275a526e8128da61eb9bcf7d23d082b513c78eec1b9864f3f54134d344be7e
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78275a526e8128da61eb9bcf7d23d082b513c78eec1b9864f3f54134d344be7e

Threat Level: Known bad

The file 419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 21:42

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 21:42

Reported

2024-05-19 21:44

Platform

win7-20240215-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2208 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2208 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2208 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2704 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2704 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2704 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2704 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1140 wrote to memory of 1768 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1768 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1768 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1140 wrote to memory of 1768 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 216a5a3f44909fa0cc6cd66a8c4a84fa
SHA1 26d5c36b70479d4170ea470b10d7668a54835eba
SHA256 19ce62857c5a380d05d52325e390c8b1ec4299f7cb0eab69012acd2ad7328be0
SHA512 d97fbfdb800416c0618910da1c3953c8e2160ff2e642c5c8bc4b2affc8ea820d91fb09251e68c75469b817d6d0cab34faab7e24b869a50fa05f9f7409744bd10

\Windows\SysWOW64\omsecor.exe

MD5 9b6739677ed80338497c4d7d74a8f12d
SHA1 3cefeb341e8ab7e616978173a113f1c752143c66
SHA256 a512f4bc1c8f032a3a49da458f062e2b1cc072ddebb0feb1d1c357d079fae38d
SHA512 58b9b916064d036017a96bcf3ed1fab7d493493b5b7c23fe367f13cf5d315be481207e3431ddbb864d379a833205a2b8256fd91a7f7f676657b94ae0ea3a794b

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5052fb59c0d8ef75c78896a750a1b100
SHA1 1e66406fb6cede99fb3821270a1fd9d04d67292c
SHA256 e31687bd53538d86f4c459876da87aefadb4455bbd164521f3b9dc067ec33b9b
SHA512 63e9ece5c35bc9a5ea22f802a80c68fbc48fb7533cc47d6e755abff0d2d8767170004aafaffcabcd0b9d8fdf75cd75f6c44f2f0892759b55a2cd1f9de98850bd

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 21:42

Reported

2024-05-19 21:44

Platform

win10v2004-20240426-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
BE 88.221.83.193:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 193.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
BE 2.17.107.122:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 122.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 216a5a3f44909fa0cc6cd66a8c4a84fa
SHA1 26d5c36b70479d4170ea470b10d7668a54835eba
SHA256 19ce62857c5a380d05d52325e390c8b1ec4299f7cb0eab69012acd2ad7328be0
SHA512 d97fbfdb800416c0618910da1c3953c8e2160ff2e642c5c8bc4b2affc8ea820d91fb09251e68c75469b817d6d0cab34faab7e24b869a50fa05f9f7409744bd10

C:\Windows\SysWOW64\omsecor.exe

MD5 ba9ca3181e6acdd3c6d80e66a1077cff
SHA1 885fbec3aab1294210087e1f2f3577f02c937803
SHA256 cbb7d019c810aa09c18b29c93e399294d7a219a1871ed9633bf56bcd4a471c53
SHA512 59a5d26f318108f4609cf7afd10a1d714e7e9758fa6acb1e8928ad76547739ebb8576032b969e15d1431bce6a19e1d28a3803b223c85e3c64a00f23d94b9be01

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aebd5276b5031e6d8aae23bc581ef32a
SHA1 914ede2da717ba26ec7b9f2a249731a19570a10e
SHA256 3bbca189fcb80779a3296d4afac3c4cceba2e3650feb0779b84f1e11383574dd
SHA512 3dfe131e3418af30693de5bac71cbdd01bc6c9fe52ac4f54a78259e9bb63e9e46f6858030c2a5799632db8b86b901da9d68e2127bc99272fdb66a8081b1ff5d3