Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-tcd6sseb5v
Target ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe
SHA256 e1b813815f8a7f15b24823c47aef070222987070c4b83859bdad6bac317938fc
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1b813815f8a7f15b24823c47aef070222987070c4b83859bdad6bac317938fc

Threat Level: Known bad

The file ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 15:54

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 15:54

Reported

2024-05-19 15:57

Platform

win7-20240221-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1320 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1320 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1320 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1320 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2332 wrote to memory of 1908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2332 wrote to memory of 1908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2332 wrote to memory of 1908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2332 wrote to memory of 1908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2792-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 53e7f97ee5472e77f56e4b25ad2e210a
SHA1 a657d300b07e249fb9f6645b2e26c1a92bfcccec
SHA256 1b3161384d555f6fafed139fd102f7fd8270dd7a3a88012b1400393c220be336
SHA512 ade434cff6ec7f96df748ece6ddf2119b41842c109aaaad36e671b6633c4ceb3e054251f8204eb04c4c5c455aa67568c4326e5c3e2a71cf6ae09f86583024f16

memory/2792-10-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/1320-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2792-8-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/1320-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1320-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1320-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1320-24-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2332-47-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2a541cb03737d4b287b01efc5fa6edc2
SHA1 6be83e77e238608209c06f3d1d705ad9bc76dae9
SHA256 8f702e81868dd2b926e07df7643a61720186242927ce27f425033828569b4f43
SHA512 9dcd23b67a6fd5bb70a0af72da6734e139cefeb5282b975a851bd44e3419631e29063850a83cf865d3f42c44943a09e618c246b07521ce28f424bb39c2dd3318

memory/1908-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2332-40-0x0000000000220000-0x000000000024D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 91ad98d31ff0f7326213b84b78892407
SHA1 1331cadc57af20dc1b28cc0fc70cf32c651d44c4
SHA256 bf33be38c15fde5df61ab26ae8c97e006054a6eb6382d6c1de30f80091a3c2b4
SHA512 9610088367022bf95537b5185e22665750f11691ac83ccd13aabb7044e8cf4940dad948c941310ba02ca74ea411dbe1888c935d11e25160f1fe3ec8a57dc1b61

memory/1320-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1320-27-0x0000000001F70000-0x0000000001F9D000-memory.dmp

memory/1908-50-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1908-53-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 15:54

Reported

2024-05-19 15:57

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ea4b8258ea7656cc6859faa6772d0070_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/2748-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 53e7f97ee5472e77f56e4b25ad2e210a
SHA1 a657d300b07e249fb9f6645b2e26c1a92bfcccec
SHA256 1b3161384d555f6fafed139fd102f7fd8270dd7a3a88012b1400393c220be336
SHA512 ade434cff6ec7f96df748ece6ddf2119b41842c109aaaad36e671b6633c4ceb3e054251f8204eb04c4c5c455aa67568c4326e5c3e2a71cf6ae09f86583024f16

memory/4016-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2748-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4016-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4016-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4016-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4016-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 88ccf33362a884387e399ddcb71231c0
SHA1 0f4187dd7c0f14948be865a074f5a1cf0519aa3a
SHA256 55bedecb03540a47edeae1bda4b1230ecc701a2fd5e3e56fca2e392bd728f2e1
SHA512 20a2430a4815dc94b38147da16fe6d23a672b7fe5f64a7d1eb5712f285b66f609c147e547e2df9e450deb7c2689b82da5429b4352f5d2cae4c1ee806e916e018

memory/2184-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4016-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3340-25-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2b57f287055bb4d52867aa96a90b4110
SHA1 f078cb63e86c5427880099f829ab22a317634738
SHA256 11b2174ec4ddb88330d99257c44492b0755b8ce015d5677cc7f496388e67dc95
SHA512 36f646654cd853d88775a9279a1f7eec05d6dc44a389b155f1395dd261231ce0bf7ef061ab6c2e6fb5c27afef9feb0c5ff51e3829f23937ba09912d3498a7c72

memory/2184-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3340-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3340-31-0x0000000000400000-0x000000000042D000-memory.dmp