Analysis Overview
SHA256
9fe28c5afd054913b2e138ac47e9690a77b452725f85fea48e6d0fa9d34eee9b
Threat Level: Known bad
The file 560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 23:06
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 23:06
Reported
2024-05-19 23:08
Platform
win7-20240221-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 913138a0d13d9bea5212ead7c8ecb86f |
| SHA1 | 7865ec6784b9e7510ec2ca08409c1a33f16656d3 |
| SHA256 | f4c21fd66a164398278bc627ea7213185108275443a7fa0bed3e734e0f71cf12 |
| SHA512 | ce0e9203e6c321f267f75a3472df8b1971035048ac6c99202ce7bd6e72011f1d6b0628cca18dfe7659ece1447ea7f25e25a8d678ee6bbce13709cfcf94e167b7 |
\Windows\SysWOW64\omsecor.exe
| MD5 | afa9ddcee5ebe39e1e67c318410ba9a4 |
| SHA1 | 265e75987013d04dac280d9b587c7c1a355182e0 |
| SHA256 | 614ddfeaff2f292a12602b054112f73835c119779b197d63463b7296b5fb741d |
| SHA512 | d8cc87688981139398729af715fc8e963a0910a50a7c0159306f57e58df11e41b96e4ab5fb255f584504223c16b922c6e5ce7f4ff3dc13465e066f6cb8025c30 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8c4d20f2bc54dbefa7fb35520743ede0 |
| SHA1 | f43a6f3969d8f5a2eed4ff94b10cc79cfc937880 |
| SHA256 | 547e850cebfec5ea3747e6644239b2e2916ef3573d2cd48d49a88aba47e08837 |
| SHA512 | 8681877495543e1e7b7f7894c2573fc19bed5a089b4df197a5d661191b46732e7a8218909c85288b579905972558ebc8fd4d01152a2dc6acfa43a4356caee602 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 23:06
Reported
2024-05-19 23:08
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\560483ba12b15ea6a143e386d936be90_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 913138a0d13d9bea5212ead7c8ecb86f |
| SHA1 | 7865ec6784b9e7510ec2ca08409c1a33f16656d3 |
| SHA256 | f4c21fd66a164398278bc627ea7213185108275443a7fa0bed3e734e0f71cf12 |
| SHA512 | ce0e9203e6c321f267f75a3472df8b1971035048ac6c99202ce7bd6e72011f1d6b0628cca18dfe7659ece1447ea7f25e25a8d678ee6bbce13709cfcf94e167b7 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 0f80ec2a5fea78f2ef1dbdd9a17c2e95 |
| SHA1 | 1600c8e6bc541c796711a67ac53adaf4712eb6c3 |
| SHA256 | 99e1e4df7c395c0d7a42970f702f258bd478c9025460cd2da22ac91b1c21f481 |
| SHA512 | b41da0939441b5ea6c431143b3bb72819be6e52581417e509683fc3eacea55696f2d0c20253f2ce8fab0ee245e7c71786a1928057f8ffe3a5cf43a2e12213379 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5122c2fcaaba9aafadfb0b1331d42638 |
| SHA1 | 36a9252e2f2b1dd47381f527997753722147d0f6 |
| SHA256 | d3d0be9439335c979c4a127a90102dae0a1e860f2420661689c7871af9d43cd3 |
| SHA512 | 8d57f38ccfee7031d743ef6247d517b469cbbc3adec833e20b5346e5821d56421b15518f075badf10202053b8465759c974c2f2fd21dde133ebfd755d003a507 |