Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-sr1snsch4t
Target e21334854c1732db05619261c709c470_NeikiAnalytics.exe
SHA256 f0fa8801dd3c886a8aef5868150964c5a99ea506cf8fd30afeae39e281dc8749
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0fa8801dd3c886a8aef5868150964c5a99ea506cf8fd30afeae39e281dc8749

Threat Level: Known bad

The file e21334854c1732db05619261c709c470_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 15:22

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 15:22

Reported

2024-05-19 15:24

Platform

win7-20240221-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2776 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2008 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2008 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2008 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2008 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1808 wrote to memory of 2004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 2004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 2004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1808 wrote to memory of 2004 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4a2df8bbd31bdf906b0ef5ea1cdb77b4
SHA1 8b37054650ba1044fb429d6e02e2cb39767bd61f
SHA256 827bdb0adc2996097261a28764779414041feffd5b3dbe88dfe30da10e22f755
SHA512 71a08453c6233d5aa2909e856ccda6f88b3f45a1524c004aabf8df994b32e1b9e84fc1657e919fe6d3620c36507ce4ab8857f2ab82aa12df40e9456afc0a2ce4

\Windows\SysWOW64\omsecor.exe

MD5 b4d151e572e944eedf3ca3d78b7b52a4
SHA1 e85834833ef5a9f45f6aac64c3209e403040d577
SHA256 01b89e52a9fa155de25475cf11ea481cf0b9d791c6696f285c6d37307d8cbee6
SHA512 40595473f8178636cc50fdfe4aa84e30d6099d0753053263621d463fc0057f63f7c4d8933bde1c2a1d6d0f5c8fa51857bcbb46c869f52ba0dbb029cae39e3fd7

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 32cc87bde43d7c374c0ac13e8539626f
SHA1 20bcd4bff8edb0b01cfccd821944ce84f1311d50
SHA256 4300531192fa8e0e9f267a8af9866263801fd8384fd119aa981ab934ce7e923d
SHA512 09858ae81dd4eb4217f9606d00ce4cb86924b636d221e69c443809197c8a8cb79adf83cb80dffc86916902e692209d1939655bc26e262169db2397bb55420150

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 15:22

Reported

2024-05-19 15:24

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4a2df8bbd31bdf906b0ef5ea1cdb77b4
SHA1 8b37054650ba1044fb429d6e02e2cb39767bd61f
SHA256 827bdb0adc2996097261a28764779414041feffd5b3dbe88dfe30da10e22f755
SHA512 71a08453c6233d5aa2909e856ccda6f88b3f45a1524c004aabf8df994b32e1b9e84fc1657e919fe6d3620c36507ce4ab8857f2ab82aa12df40e9456afc0a2ce4

C:\Windows\SysWOW64\omsecor.exe

MD5 20929334189516dd171f8b115dffe0ae
SHA1 0eb17ddbc19c05875e3c2cc85026bb143f55c00f
SHA256 11bec1d1e5579d8148fbdfe90e920e4972ee0718c64141fb8177bdcc26516dba
SHA512 c3ffed80cfcd0471199874919cce833aebe1a3452ea4808c0c353e74bbfb56923e144a31036a603f2d18403af0df6992467a350e1c8a1db989a855d598f076af

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0159b6b46c2803c94b4de85c1d435730
SHA1 8d59d6a99360a5b3612d2c54f8dbc6354676b367
SHA256 15a45884588bdbf3fe0a4c44f2371088dcd88a47b94d4ba13999115d3d8ed611
SHA512 a19ee45db3e8ffa6c7e7137559a62d0e9b326ae01da48285c6d4410df0486204adf963b800f42c3ec40d3a8a1a72295fda826eb1585b33a6efca1f9c1f36d8cd