Analysis Overview
SHA256
0f4810f9b49d94e5262128a2456486b076734db252d2ca492463c8a21485ba53
Threat Level: Known bad
The file 4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 22:28
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 22:28
Reported
2024-05-19 22:31
Platform
win7-20240221-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/3000-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 66039958bca2e90753432bb1bf87d4bf |
| SHA1 | c09d28def543147c6d9c79f0e0385f69603f7af0 |
| SHA256 | c75dcd8e1415a859379125ee75a3a15e6070e10bb5fd7e35084c3b012ff3b9c3 |
| SHA512 | c2d42d76a22eb42982145307ce8a7c790851b8c9d957c383792beed6bd4b89db836c7d2835b8663eec4c204ba1661b20d90d46ab7e61a868270c9ff93994b345 |
memory/3000-11-0x00000000003A0000-0x00000000003CD000-memory.dmp
memory/3000-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3000-9-0x00000000003A0000-0x00000000003CD000-memory.dmp
memory/820-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3000-16-0x00000000003A0000-0x00000000003CD000-memory.dmp
memory/820-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/820-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/820-24-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | a090e46a638581aa9f8fe79fa907ca5f |
| SHA1 | 2a4fc879e30c9d6079d8e926c04580e98c66f63d |
| SHA256 | 8f0c8466e526069c808be2fe8dcc735389c5cfaf2f9345135c247016817a2f3d |
| SHA512 | 8ba041e825631e534925396f465d5f982b9267eb999fd4278ee88aca244bc393a8c5038d84b8fb520603d0badd4367c1751e0eca31f7445309b243ace4fa4ef5 |
memory/820-27-0x0000000000350000-0x000000000037D000-memory.dmp
memory/820-34-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7415a6f771a3f8d91363ff51fcd11f0d |
| SHA1 | 5cabdd2ec2c30ea092a4332a052dba85cb1932fa |
| SHA256 | f9f0dea1531b980bc1e6a530122bc3051c3761a789644b20f9638c3d0cebaa8d |
| SHA512 | 6311e379eaabb5a667d717925bb565bb0c474ea22d01a318973387d42af4a29d52777da9e3b2294d00eab05b55a898ae1205cb0f86528d65286ea9844ea18661 |
memory/2200-45-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1612-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1612-49-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1612-52-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 22:28
Reported
2024-05-19 22:31
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1644 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1644 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1644 wrote to memory of 3952 | N/A | C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3952 wrote to memory of 3324 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3952 wrote to memory of 3324 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3952 wrote to memory of 3324 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4c1844acd093de809b95044c34eb5020_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1644-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1644-4-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 66039958bca2e90753432bb1bf87d4bf |
| SHA1 | c09d28def543147c6d9c79f0e0385f69603f7af0 |
| SHA256 | c75dcd8e1415a859379125ee75a3a15e6070e10bb5fd7e35084c3b012ff3b9c3 |
| SHA512 | c2d42d76a22eb42982145307ce8a7c790851b8c9d957c383792beed6bd4b89db836c7d2835b8663eec4c204ba1661b20d90d46ab7e61a868270c9ff93994b345 |
memory/3952-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3952-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3952-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3952-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3952-14-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5345266a3f919583d4ce769247183980 |
| SHA1 | 62462d4c6d7ee2baf14440cd048bff9e4720b57a |
| SHA256 | 9e39cc810e313e51d8399409cb34aeaa336257558ad3fa9c6423202c4fdf00d5 |
| SHA512 | bf8358260720bf8f5cee0264c006757d2483b088bab955c2451a32454f70f81793cdcfd469d03ec38f895eb6a6bc03fdfaaaf3c2890fbe57600e84ec74e77f61 |
memory/3952-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3324-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3324-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3324-25-0x0000000000400000-0x000000000042D000-memory.dmp