Analysis Overview
SHA256
78275a526e8128da61eb9bcf7d23d082b513c78eec1b9864f3f54134d344be7e
Threat Level: Known bad
The file 419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 21:42
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 21:42
Reported
2024-05-19 21:44
Platform
win7-20240215-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 216a5a3f44909fa0cc6cd66a8c4a84fa |
| SHA1 | 26d5c36b70479d4170ea470b10d7668a54835eba |
| SHA256 | 19ce62857c5a380d05d52325e390c8b1ec4299f7cb0eab69012acd2ad7328be0 |
| SHA512 | d97fbfdb800416c0618910da1c3953c8e2160ff2e642c5c8bc4b2affc8ea820d91fb09251e68c75469b817d6d0cab34faab7e24b869a50fa05f9f7409744bd10 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 9b6739677ed80338497c4d7d74a8f12d |
| SHA1 | 3cefeb341e8ab7e616978173a113f1c752143c66 |
| SHA256 | a512f4bc1c8f032a3a49da458f062e2b1cc072ddebb0feb1d1c357d079fae38d |
| SHA512 | 58b9b916064d036017a96bcf3ed1fab7d493493b5b7c23fe367f13cf5d315be481207e3431ddbb864d379a833205a2b8256fd91a7f7f676657b94ae0ea3a794b |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5052fb59c0d8ef75c78896a750a1b100 |
| SHA1 | 1e66406fb6cede99fb3821270a1fd9d04d67292c |
| SHA256 | e31687bd53538d86f4c459876da87aefadb4455bbd164521f3b9dc067ec33b9b |
| SHA512 | 63e9ece5c35bc9a5ea22f802a80c68fbc48fb7533cc47d6e755abff0d2d8767170004aafaffcabcd0b9d8fdf75cd75f6c44f2f0892759b55a2cd1f9de98850bd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 21:42
Reported
2024-05-19 21:44
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\419fb94993688f5ba07303c9ebfdd100_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| BE | 88.221.83.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| BE | 2.17.107.122:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 216a5a3f44909fa0cc6cd66a8c4a84fa |
| SHA1 | 26d5c36b70479d4170ea470b10d7668a54835eba |
| SHA256 | 19ce62857c5a380d05d52325e390c8b1ec4299f7cb0eab69012acd2ad7328be0 |
| SHA512 | d97fbfdb800416c0618910da1c3953c8e2160ff2e642c5c8bc4b2affc8ea820d91fb09251e68c75469b817d6d0cab34faab7e24b869a50fa05f9f7409744bd10 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ba9ca3181e6acdd3c6d80e66a1077cff |
| SHA1 | 885fbec3aab1294210087e1f2f3577f02c937803 |
| SHA256 | cbb7d019c810aa09c18b29c93e399294d7a219a1871ed9633bf56bcd4a471c53 |
| SHA512 | 59a5d26f318108f4609cf7afd10a1d714e7e9758fa6acb1e8928ad76547739ebb8576032b969e15d1431bce6a19e1d28a3803b223c85e3c64a00f23d94b9be01 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aebd5276b5031e6d8aae23bc581ef32a |
| SHA1 | 914ede2da717ba26ec7b9f2a249731a19570a10e |
| SHA256 | 3bbca189fcb80779a3296d4afac3c4cceba2e3650feb0779b84f1e11383574dd |
| SHA512 | 3dfe131e3418af30693de5bac71cbdd01bc6c9fe52ac4f54a78259e9bb63e9e46f6858030c2a5799632db8b86b901da9d68e2127bc99272fdb66a8081b1ff5d3 |