Analysis Overview
SHA256
f0fa8801dd3c886a8aef5868150964c5a99ea506cf8fd30afeae39e281dc8749
Threat Level: Known bad
The file e21334854c1732db05619261c709c470_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 15:22
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 15:22
Reported
2024-05-19 15:24
Platform
win7-20240221-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4a2df8bbd31bdf906b0ef5ea1cdb77b4 |
| SHA1 | 8b37054650ba1044fb429d6e02e2cb39767bd61f |
| SHA256 | 827bdb0adc2996097261a28764779414041feffd5b3dbe88dfe30da10e22f755 |
| SHA512 | 71a08453c6233d5aa2909e856ccda6f88b3f45a1524c004aabf8df994b32e1b9e84fc1657e919fe6d3620c36507ce4ab8857f2ab82aa12df40e9456afc0a2ce4 |
\Windows\SysWOW64\omsecor.exe
| MD5 | b4d151e572e944eedf3ca3d78b7b52a4 |
| SHA1 | e85834833ef5a9f45f6aac64c3209e403040d577 |
| SHA256 | 01b89e52a9fa155de25475cf11ea481cf0b9d791c6696f285c6d37307d8cbee6 |
| SHA512 | 40595473f8178636cc50fdfe4aa84e30d6099d0753053263621d463fc0057f63f7c4d8933bde1c2a1d6d0f5c8fa51857bcbb46c869f52ba0dbb029cae39e3fd7 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 32cc87bde43d7c374c0ac13e8539626f |
| SHA1 | 20bcd4bff8edb0b01cfccd821944ce84f1311d50 |
| SHA256 | 4300531192fa8e0e9f267a8af9866263801fd8384fd119aa981ab934ce7e923d |
| SHA512 | 09858ae81dd4eb4217f9606d00ce4cb86924b636d221e69c443809197c8a8cb79adf83cb80dffc86916902e692209d1939655bc26e262169db2397bb55420150 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 15:22
Reported
2024-05-19 15:24
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e21334854c1732db05619261c709c470_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4a2df8bbd31bdf906b0ef5ea1cdb77b4 |
| SHA1 | 8b37054650ba1044fb429d6e02e2cb39767bd61f |
| SHA256 | 827bdb0adc2996097261a28764779414041feffd5b3dbe88dfe30da10e22f755 |
| SHA512 | 71a08453c6233d5aa2909e856ccda6f88b3f45a1524c004aabf8df994b32e1b9e84fc1657e919fe6d3620c36507ce4ab8857f2ab82aa12df40e9456afc0a2ce4 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 20929334189516dd171f8b115dffe0ae |
| SHA1 | 0eb17ddbc19c05875e3c2cc85026bb143f55c00f |
| SHA256 | 11bec1d1e5579d8148fbdfe90e920e4972ee0718c64141fb8177bdcc26516dba |
| SHA512 | c3ffed80cfcd0471199874919cce833aebe1a3452ea4808c0c353e74bbfb56923e144a31036a603f2d18403af0df6992467a350e1c8a1db989a855d598f076af |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0159b6b46c2803c94b4de85c1d435730 |
| SHA1 | 8d59d6a99360a5b3612d2c54f8dbc6354676b367 |
| SHA256 | 15a45884588bdbf3fe0a4c44f2371088dcd88a47b94d4ba13999115d3d8ed611 |
| SHA512 | a19ee45db3e8ffa6c7e7137559a62d0e9b326ae01da48285c6d4410df0486204adf963b800f42c3ec40d3a8a1a72295fda826eb1585b33a6efca1f9c1f36d8cd |