Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-ta1l1sea7v
Target e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe
SHA256 1415b2602c96e7d866c61e1a0e755e31324c96652a44607979097bbf25131be5
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1415b2602c96e7d866c61e1a0e755e31324c96652a44607979097bbf25131be5

Threat Level: Known bad

The file e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 15:51

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 15:51

Reported

2024-05-19 15:54

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
BE 88.221.83.192:443 www.bing.com tcp
US 8.8.8.8:53 192.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b18c97b6fa4e3984a0556d6c13402b37
SHA1 15fdd15db2662c2d862f4a585976da1ddc29b9d3
SHA256 2e55587424adb78197bc5d74a3ac9c7dc61016f613e0b2393950cf6ab8ab40b8
SHA512 065387996bfddbf21e71b94fb7f2a425640c50c0448c7b22e744b56e657b0ef55c915670120fa41337a490e95faf97e23e8f6edccf638daf1ac7dee9fdc22ba4

C:\Windows\SysWOW64\omsecor.exe

MD5 70ec441a73ebb76cbdc82c251d5fe533
SHA1 c9d5acb82389d09a23613a8712de16fa263c8a43
SHA256 b5d79c7756307a3f73281c6a51f25e8882b4c96c22a458d4c22b901114ed7d47
SHA512 1d21cf859d05ce5cdc97800f45ad8e46d2b34dd78d67885bd4f6a103925f929d2e29687eb5b88122796e8d043131f60b54746ffe149317436cbf187ef3d98fc4

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ac56f2afd7b15753032e63b93badc18f
SHA1 01a8091874b461ac255b3a831d8cb3afa81217b1
SHA256 9025b697d2aabc6b4f7a60a2dc9f4ca0330fb8bca8ca4591ffe802f51d0f2830
SHA512 f2ed4d4edea03448909965123a2171e620e2f23be903d96375cc1b70be3dc796cacbc8da7051bc60a4cca7a1113a1b9805f9c3cfbffdcf933cd1b7e00599b2c2

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 15:51

Reported

2024-05-19 15:54

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1724 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1724 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1724 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2120 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2988 wrote to memory of 772 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 772 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 772 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2988 wrote to memory of 772 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b18c97b6fa4e3984a0556d6c13402b37
SHA1 15fdd15db2662c2d862f4a585976da1ddc29b9d3
SHA256 2e55587424adb78197bc5d74a3ac9c7dc61016f613e0b2393950cf6ab8ab40b8
SHA512 065387996bfddbf21e71b94fb7f2a425640c50c0448c7b22e744b56e657b0ef55c915670120fa41337a490e95faf97e23e8f6edccf638daf1ac7dee9fdc22ba4

\Windows\SysWOW64\omsecor.exe

MD5 ef3cad547896c67f7329ea9265ce1607
SHA1 27475d0a0f1f97710d5c880fd1392e01919ef5fe
SHA256 632e2aae6437eb6d991e01382e43ad95d3d16dbc9658fd5223354ee005d230f2
SHA512 7d44376c139cbbb6bad596562d141eefceee60da7a62c040f12d62a23762291c5c47e85976c475e3275a1fa0d9214e50bb000174b6cbfb2142492a6bcefe0fef

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0af7b6f760dd4ead221b47c84d27215a
SHA1 4994de9a2c8f7cf8da9c2f54536f55dc66e19bf9
SHA256 75ae133963bc2196890edfa57d5a2fded0fdedc04a1285772196f81ceac1285f
SHA512 0ed1d600cf5fd14268686da224110d8be7134257ada94ba48b01694a0878abed406626b6d22f45c4a00b5d0be96d9e39d832638398d81cdcdf52ea274d9cba30