Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-qz69baaf73
Target ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe
SHA256 5cfd89282e30b73f7e45c884e4abdfe887811daae7b98477f90bf01565808d51
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cfd89282e30b73f7e45c884e4abdfe887811daae7b98477f90bf01565808d51

Threat Level: Known bad

The file ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 13:42

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 13:42

Reported

2024-05-19 13:45

Platform

win7-20240220-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1740 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1740 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1740 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1740 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1856 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1856 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1856 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1856 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2084-1-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a0c87e7564432bcf0039292043d3c541
SHA1 efebf1cea7c0a413289e281dc57f40315b6a1ba5
SHA256 fb81f3c7d903dac4bc878ba9612bbac1056be91b43c26d439c19e1aa2df15889
SHA512 ba00f8e77cce09dc5506ebf90833624a4fd227be7e7d910107e44d780e82ccf5a0471e81a90d444c75fa0b1f6e761aef489627b60bc15c4fbfbe32dcff964276

memory/1740-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1740-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1740-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1740-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1740-21-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 c5d988698ccd37a60d575aa789db2d65
SHA1 a987eff7d0961ecbdec61faaffbdfddb5e34930a
SHA256 925605de3b54efd82c12c458bbd1b6a4a79df74e33ef3bc6c2a5c07a689deca9
SHA512 a165dd6361cc44d1a187cd47f1068a8faad88631df6403908ed50db7d1078b1307b045318a2ce66dec5df15d8b67f4be6ce466142f5d2a6ca2d672c4f3fa1ffa

memory/1740-24-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/1740-31-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1856-33-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ae1086a0b0f44313d926fcf47dd6ed24
SHA1 5c3a1cb032508c42b758f1f17ab494c5c1da9b1b
SHA256 045c9ac028051536385925cdc8246594d04b4b70311b2431bd1cfe824d87965c
SHA512 3b4bc8a1f58d4f0d205d894ef7d79566589e45abc643288bc720ca96ed92c802811b5b749fb34761da02ac1dc90cbe9eeae2eb869719356f4827513c3d667755

memory/1856-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/328-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/328-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/328-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 13:42

Reported

2024-05-19 13:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ccf3202a38e701599318538b3a1f62e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

memory/3748-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a0c87e7564432bcf0039292043d3c541
SHA1 efebf1cea7c0a413289e281dc57f40315b6a1ba5
SHA256 fb81f3c7d903dac4bc878ba9612bbac1056be91b43c26d439c19e1aa2df15889
SHA512 ba00f8e77cce09dc5506ebf90833624a4fd227be7e7d910107e44d780e82ccf5a0471e81a90d444c75fa0b1f6e761aef489627b60bc15c4fbfbe32dcff964276

memory/4524-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3748-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4524-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4524-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4524-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4524-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 131db9186e0f838010e6b910d9398920
SHA1 ea07a9a1b1065ebd284a352c3b193b0b4126e736
SHA256 3dfba1b149ee23ab80c7174396e7ef66f0854552b7b92f3d9be4cc5cf5b3b306
SHA512 cfd93388f483fe2984729eb91fe9a4f0658acffce59e1bb6c5a3243d7e70ea4f1c0cadae6046f42583e91f79a5aaa7ccce1900c22d880d0d5e658974a7908166

memory/4524-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4464-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4464-23-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4464-26-0x0000000000400000-0x000000000042D000-memory.dmp