Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-sfrqmace4x
Target ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe
SHA256 bd638029b2c11a937fc9cd747e3b8804c8ae93e62eaa8b00b3fa2cf7cc2a23d5
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd638029b2c11a937fc9cd747e3b8804c8ae93e62eaa8b00b3fa2cf7cc2a23d5

Threat Level: Known bad

The file ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 15:04

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 15:04

Reported

2024-05-19 15:06

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2592 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2592 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2592 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2592 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1288 wrote to memory of 1528 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1288 wrote to memory of 1528 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1288 wrote to memory of 1528 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1288 wrote to memory of 1528 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1044-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 856e31b1153c77956442e2685a7ef5ee
SHA1 155732cdc7644a295ec8c04240fdfc7c5717c805
SHA256 9d397d095137106b904862500df338eaf3f2162d022421341047f4054fed1064
SHA512 473a2f409140eefef46f55c56bea674cd7efb71fe314dcc19fed204680f38a06c20cbaf6d172e7f776813f59da5912bfb234ced95cafb1e1215d1d3ba6cd99ef

memory/1044-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2592-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1044-9-0x00000000001B0000-0x00000000001DD000-memory.dmp

memory/2592-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2592-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2592-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 a1b2224ad60e9dfeaf791675c5855ed0
SHA1 5ec04bd46880e9d00be86da9bc264875527b121f
SHA256 18093e8fd8c19ef382c7b7ae9a408539eabab9e9059078577f705f2c63fe9e51
SHA512 694d077b2efb96b810685bac810e16f4de3a7330699668d088631da581f368a6648abdd0cf6bf3fb21f297e4fdcbfda32d2daf9231027e387e41344015c924d1

memory/2592-26-0x0000000000290000-0x00000000002BD000-memory.dmp

memory/2592-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1288-37-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 beb216940f507ddbd6b680f889165d65
SHA1 2ff2e890dbae4570636d2f3de8e46aacb618ba18
SHA256 6c11dc5d1827e34bfb0e47195753ca23732fcb02874df1bc308f6f09a89ac322
SHA512 8708ee138615fd00ff436d7ab56fe959ca1186d5d2196c1e8566f31c2f3da59b064d50994d3d7a71e7f8c4bb975f89e24905dbb85bc2e5aff8a6103032b76636

memory/1528-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1528-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1528-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 15:04

Reported

2024-05-19 15:06

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ddb47c76c975930de12c689f7f6e9ac0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 52.111.227.11:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/400-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 856e31b1153c77956442e2685a7ef5ee
SHA1 155732cdc7644a295ec8c04240fdfc7c5717c805
SHA256 9d397d095137106b904862500df338eaf3f2162d022421341047f4054fed1064
SHA512 473a2f409140eefef46f55c56bea674cd7efb71fe314dcc19fed204680f38a06c20cbaf6d172e7f776813f59da5912bfb234ced95cafb1e1215d1d3ba6cd99ef

memory/400-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4444-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4444-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4444-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4444-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4444-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 cd7ee7b65436f935b4b806d9522b02f5
SHA1 75dfc6dae30060b40643c2d34b97a2e946fdbff2
SHA256 188b07911e293b4db37ae7a5ffa53da8690ca154247f975ca21eacfc3b52b8e4
SHA512 4a7106862cd51c477e880913cd7ca8b754e0f0058b4139c3bb4c34911182b63298fbfb60383ec45bda49cde189517e45f6d2212f23b433d2357b62dd65da2619

memory/4444-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2716-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 15c12b1d577219df2cfdd63f2607a98e
SHA1 a07ff5a36b13e02d31f33437a23c9004d00187a3
SHA256 bb309614cfb7b38a4231984cb2abcd25ebd118c4763f2b26080ae7379c43e22e
SHA512 513fd21f2833877f26ed6141533e1c0a0bf4c6ba0b24b6d2c429943e9f79a403c313f5924575db0b848d24e6a86da1a5ddbc244e28db73d19afead55f5fe90a2

memory/1936-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2716-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1936-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1936-33-0x0000000000400000-0x000000000042D000-memory.dmp