Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-23dxqafh95
Target 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
SHA256 9fe28c5afd054913b2e138ac47e9690a77b452725f85fea48e6d0fa9d34eee9b
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fe28c5afd054913b2e138ac47e9690a77b452725f85fea48e6d0fa9d34eee9b

Threat Level: Known bad

The file 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 23:06

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 23:06

Reported

2024-05-19 23:08

Platform

win7-20240221-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3036 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3036 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2696 wrote to memory of 2768 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 2768 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 2768 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2696 wrote to memory of 2768 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 913138a0d13d9bea5212ead7c8ecb86f
SHA1 7865ec6784b9e7510ec2ca08409c1a33f16656d3
SHA256 f4c21fd66a164398278bc627ea7213185108275443a7fa0bed3e734e0f71cf12
SHA512 ce0e9203e6c321f267f75a3472df8b1971035048ac6c99202ce7bd6e72011f1d6b0628cca18dfe7659ece1447ea7f25e25a8d678ee6bbce13709cfcf94e167b7

\Windows\SysWOW64\omsecor.exe

MD5 afa9ddcee5ebe39e1e67c318410ba9a4
SHA1 265e75987013d04dac280d9b587c7c1a355182e0
SHA256 614ddfeaff2f292a12602b054112f73835c119779b197d63463b7296b5fb741d
SHA512 d8cc87688981139398729af715fc8e963a0910a50a7c0159306f57e58df11e41b96e4ab5fb255f584504223c16b922c6e5ce7f4ff3dc13465e066f6cb8025c30

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8c4d20f2bc54dbefa7fb35520743ede0
SHA1 f43a6f3969d8f5a2eed4ff94b10cc79cfc937880
SHA256 547e850cebfec5ea3747e6644239b2e2916ef3573d2cd48d49a88aba47e08837
SHA512 8681877495543e1e7b7f7894c2573fc19bed5a089b4df197a5d661191b46732e7a8218909c85288b579905972558ebc8fd4d01152a2dc6acfa43a4356caee602

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 23:06

Reported

2024-05-19 23:08

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 913138a0d13d9bea5212ead7c8ecb86f
SHA1 7865ec6784b9e7510ec2ca08409c1a33f16656d3
SHA256 f4c21fd66a164398278bc627ea7213185108275443a7fa0bed3e734e0f71cf12
SHA512 ce0e9203e6c321f267f75a3472df8b1971035048ac6c99202ce7bd6e72011f1d6b0628cca18dfe7659ece1447ea7f25e25a8d678ee6bbce13709cfcf94e167b7

C:\Windows\SysWOW64\omsecor.exe

MD5 0f80ec2a5fea78f2ef1dbdd9a17c2e95
SHA1 1600c8e6bc541c796711a67ac53adaf4712eb6c3
SHA256 99e1e4df7c395c0d7a42970f702f258bd478c9025460cd2da22ac91b1c21f481
SHA512 b41da0939441b5ea6c431143b3bb72819be6e52581417e509683fc3eacea55696f2d0c20253f2ce8fab0ee245e7c71786a1928057f8ffe3a5cf43a2e12213379

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5122c2fcaaba9aafadfb0b1331d42638
SHA1 36a9252e2f2b1dd47381f527997753722147d0f6
SHA256 d3d0be9439335c979c4a127a90102dae0a1e860f2420661689c7871af9d43cd3
SHA512 8d57f38ccfee7031d743ef6247d517b469cbbc3adec833e20b5346e5821d56421b15518f075badf10202053b8465759c974c2f2fd21dde133ebfd755d003a507