Analysis Overview
SHA256
ec6f0134583a5bac273914fc276c475f0da21c83f3e101d2cfbf8bdcae05a669
Threat Level: Known bad
The file f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 16:35
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 16:35
Reported
2024-05-19 16:38
Platform
win7-20240221-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2868-1-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 46cd72f6b4edfc791895e6d62a605e7b |
| SHA1 | cacf86591a4829714ad8f846f15f7bb3cb001460 |
| SHA256 | 6356806d38b8cd31d3345f4743fe5524766cd2de43ae0dc00cd4609d1045d269 |
| SHA512 | cf3c4edf67c7b706229d2f49d6cf34ed072cd4e46ede20e65f2d5fdb1248a58a0f9be6992805b0eb6044d779e40d241ddee44c4f10c2b301aba8428fe9bd7552 |
memory/2992-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2992-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2992-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2992-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2992-21-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 2329d3fbf29229fe044ce4f0c0f62b56 |
| SHA1 | 1bb26fe7f6ab2df2cb51c41b173fb108608f81f5 |
| SHA256 | be006c3758322f12e9481f3b3a722a5447b0962e659c3c22ef422a3a6112ab3c |
| SHA512 | 1af1b41d131fd185f3643ca2328467bfc45f1383e7825ad73a65abd647b07564be2f0bd718eafaae7ae80179b028fbba67174e0ea09ca238ddcb3b5900778549 |
memory/2992-24-0x0000000000290000-0x00000000002BD000-memory.dmp
memory/2992-31-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3f253bc39915adc5df3209695f6183a4 |
| SHA1 | defc0c4380a50b22e5f8217510ce97b4b20eac2a |
| SHA256 | 80c31cfba0335dcde334347b5e03f488b03ab2de413197de41d3db6fd54231f8 |
| SHA512 | 2541ce9b8bdc434e6c8c1f68d3d36272ac19368f8659a19f9a48fccb3a15fa6989218de7bfb577b3061500777100d4d4e0d9bc38d4e57bd6adf3a7d645fefc74 |
memory/1444-44-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1428-42-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1444-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1444-49-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 16:35
Reported
2024-05-19 16:38
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f4436b10750b5abd50e65308988c0ce0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 95.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/4548-1-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 46cd72f6b4edfc791895e6d62a605e7b |
| SHA1 | cacf86591a4829714ad8f846f15f7bb3cb001460 |
| SHA256 | 6356806d38b8cd31d3345f4743fe5524766cd2de43ae0dc00cd4609d1045d269 |
| SHA512 | cf3c4edf67c7b706229d2f49d6cf34ed072cd4e46ede20e65f2d5fdb1248a58a0f9be6992805b0eb6044d779e40d241ddee44c4f10c2b301aba8428fe9bd7552 |
memory/4296-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4296-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4296-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4296-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4296-14-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 1381cf24600c6c13533b9b4344243700 |
| SHA1 | d45423ae2ed4e59ae4ddeffd9c5a8a1c08d5276f |
| SHA256 | 9d2f50ad4741f154297f7378db882ead96e0ae9443a21232f92bc3f8a46bcb4f |
| SHA512 | 01e0efdc3053a63799205899040b294eea11757f2ed24621f2c9f6cd3e77fc931a0fc2c2c47d70b369d52eaed5b0749d33ce4280a1d18903ba7bb6fba7f856af |
memory/4296-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2344-22-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e33a9af6430de5c407d3b842fc8f80aa |
| SHA1 | b969cde4449b9f7ae8b6441886ec363b48471e4a |
| SHA256 | f32066d9a8b53ecbdb298d1bdf38e3d1413b2248b20ec455593f0214442c787f |
| SHA512 | 42e83f16342bdf23bf3576864cdb3bd98ed7c045a421fa14a30b4d566b2a480a5fa5d31a531b8adc21a8feb96fcc9fcd8da5b89c3fbdde112fdac70548e1815c |
memory/2344-28-0x0000000000400000-0x000000000042D000-memory.dmp
memory/664-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/664-29-0x0000000000400000-0x000000000042D000-memory.dmp
memory/664-32-0x0000000000400000-0x000000000042D000-memory.dmp