Analysis Overview
SHA256
1415b2602c96e7d866c61e1a0e755e31324c96652a44607979097bbf25131be5
Threat Level: Known bad
The file e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 15:51
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 15:51
Reported
2024-05-19 15:54
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b18c97b6fa4e3984a0556d6c13402b37 |
| SHA1 | 15fdd15db2662c2d862f4a585976da1ddc29b9d3 |
| SHA256 | 2e55587424adb78197bc5d74a3ac9c7dc61016f613e0b2393950cf6ab8ab40b8 |
| SHA512 | 065387996bfddbf21e71b94fb7f2a425640c50c0448c7b22e744b56e657b0ef55c915670120fa41337a490e95faf97e23e8f6edccf638daf1ac7dee9fdc22ba4 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 70ec441a73ebb76cbdc82c251d5fe533 |
| SHA1 | c9d5acb82389d09a23613a8712de16fa263c8a43 |
| SHA256 | b5d79c7756307a3f73281c6a51f25e8882b4c96c22a458d4c22b901114ed7d47 |
| SHA512 | 1d21cf859d05ce5cdc97800f45ad8e46d2b34dd78d67885bd4f6a103925f929d2e29687eb5b88122796e8d043131f60b54746ffe149317436cbf187ef3d98fc4 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ac56f2afd7b15753032e63b93badc18f |
| SHA1 | 01a8091874b461ac255b3a831d8cb3afa81217b1 |
| SHA256 | 9025b697d2aabc6b4f7a60a2dc9f4ca0330fb8bca8ca4591ffe802f51d0f2830 |
| SHA512 | f2ed4d4edea03448909965123a2171e620e2f23be903d96375cc1b70be3dc796cacbc8da7051bc60a4cca7a1113a1b9805f9c3cfbffdcf933cd1b7e00599b2c2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 15:51
Reported
2024-05-19 15:54
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e9a8a5f7e80d2ae8c062d4eb57568e80_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b18c97b6fa4e3984a0556d6c13402b37 |
| SHA1 | 15fdd15db2662c2d862f4a585976da1ddc29b9d3 |
| SHA256 | 2e55587424adb78197bc5d74a3ac9c7dc61016f613e0b2393950cf6ab8ab40b8 |
| SHA512 | 065387996bfddbf21e71b94fb7f2a425640c50c0448c7b22e744b56e657b0ef55c915670120fa41337a490e95faf97e23e8f6edccf638daf1ac7dee9fdc22ba4 |
\Windows\SysWOW64\omsecor.exe
| MD5 | ef3cad547896c67f7329ea9265ce1607 |
| SHA1 | 27475d0a0f1f97710d5c880fd1392e01919ef5fe |
| SHA256 | 632e2aae6437eb6d991e01382e43ad95d3d16dbc9658fd5223354ee005d230f2 |
| SHA512 | 7d44376c139cbbb6bad596562d141eefceee60da7a62c040f12d62a23762291c5c47e85976c475e3275a1fa0d9214e50bb000174b6cbfb2142492a6bcefe0fef |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0af7b6f760dd4ead221b47c84d27215a |
| SHA1 | 4994de9a2c8f7cf8da9c2f54536f55dc66e19bf9 |
| SHA256 | 75ae133963bc2196890edfa57d5a2fded0fdedc04a1285772196f81ceac1285f |
| SHA512 | 0ed1d600cf5fd14268686da224110d8be7134257ada94ba48b01694a0878abed406626b6d22f45c4a00b5d0be96d9e39d832638398d81cdcdf52ea274d9cba30 |