Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-2dtxmsea5v
Target 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe
SHA256 0f4810f9b49d94e5262128a2456486b076734db252d2ca492463c8a21485ba53
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f4810f9b49d94e5262128a2456486b076734db252d2ca492463c8a21485ba53

Threat Level: Known bad

The file 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 22:28

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 22:28

Reported

2024-05-19 22:31

Platform

win7-20240221-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3000 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 820 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 820 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 820 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 820 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2200 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 1612 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/3000-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 66039958bca2e90753432bb1bf87d4bf
SHA1 c09d28def543147c6d9c79f0e0385f69603f7af0
SHA256 c75dcd8e1415a859379125ee75a3a15e6070e10bb5fd7e35084c3b012ff3b9c3
SHA512 c2d42d76a22eb42982145307ce8a7c790851b8c9d957c383792beed6bd4b89db836c7d2835b8663eec4c204ba1661b20d90d46ab7e61a868270c9ff93994b345

memory/3000-11-0x00000000003A0000-0x00000000003CD000-memory.dmp

memory/3000-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3000-9-0x00000000003A0000-0x00000000003CD000-memory.dmp

memory/820-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3000-16-0x00000000003A0000-0x00000000003CD000-memory.dmp

memory/820-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/820-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/820-24-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 a090e46a638581aa9f8fe79fa907ca5f
SHA1 2a4fc879e30c9d6079d8e926c04580e98c66f63d
SHA256 8f0c8466e526069c808be2fe8dcc735389c5cfaf2f9345135c247016817a2f3d
SHA512 8ba041e825631e534925396f465d5f982b9267eb999fd4278ee88aca244bc393a8c5038d84b8fb520603d0badd4367c1751e0eca31f7445309b243ace4fa4ef5

memory/820-27-0x0000000000350000-0x000000000037D000-memory.dmp

memory/820-34-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7415a6f771a3f8d91363ff51fcd11f0d
SHA1 5cabdd2ec2c30ea092a4332a052dba85cb1932fa
SHA256 f9f0dea1531b980bc1e6a530122bc3051c3761a789644b20f9638c3d0cebaa8d
SHA512 6311e379eaabb5a667d717925bb565bb0c474ea22d01a318973387d42af4a29d52777da9e3b2294d00eab05b55a898ae1205cb0f86528d65286ea9844ea18661

memory/2200-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1612-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1612-49-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1612-52-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 22:28

Reported

2024-05-19 22:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1644-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1644-4-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 66039958bca2e90753432bb1bf87d4bf
SHA1 c09d28def543147c6d9c79f0e0385f69603f7af0
SHA256 c75dcd8e1415a859379125ee75a3a15e6070e10bb5fd7e35084c3b012ff3b9c3
SHA512 c2d42d76a22eb42982145307ce8a7c790851b8c9d957c383792beed6bd4b89db836c7d2835b8663eec4c204ba1661b20d90d46ab7e61a868270c9ff93994b345

memory/3952-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3952-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3952-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3952-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3952-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 5345266a3f919583d4ce769247183980
SHA1 62462d4c6d7ee2baf14440cd048bff9e4720b57a
SHA256 9e39cc810e313e51d8399409cb34aeaa336257558ad3fa9c6423202c4fdf00d5
SHA512 bf8358260720bf8f5cee0264c006757d2483b088bab955c2451a32454f70f81793cdcfd469d03ec38f895eb6a6bc03fdfaaaf3c2890fbe57600e84ec74e77f61

memory/3952-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3324-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3324-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3324-25-0x0000000000400000-0x000000000042D000-memory.dmp