Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-tecezsec7x
Target eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe
SHA256 13473a8ea2c2ef9ff7e052c636da90019ae5dd2c5213f5a98bfd78831f224e87
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13473a8ea2c2ef9ff7e052c636da90019ae5dd2c5213f5a98bfd78831f224e87

Threat Level: Known bad

The file eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 15:57

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 15:57

Reported

2024-05-19 16:00

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
BE 2.17.107.130:443 www.bing.com tcp
US 8.8.8.8:53 130.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4e5fff3cdec056e923c95d1e4153b595
SHA1 bc9a7e659dfc1b7f35b5b441c848773085b21e53
SHA256 3154f7eef2e1ddf6471f36894fdb013844d60c9e2f156802d9132de4f7e855a1
SHA512 36a1594482aab2d174ccd522ffbc7fc97f461deeb3e4fdc5fbe1ce8e8f2e5490e94a158e8bc73716f9261ca92f115397ebca55c354bddc8e5cf16152e45e3bd7

C:\Windows\SysWOW64\omsecor.exe

MD5 1ab0e7ada645552ad0638fec17a5327f
SHA1 a2ca38911519f4795a59da504ae223128fbea811
SHA256 3482bbeb935402bb77cd9ec0d6f664dcd473e3a8668d42e8dfc2d6af635652f8
SHA512 4876b4983eda25405322cef741fd9e5d2ca544a8f4ab92bda0f5fa5f726e0b25d16346b5b4642d6a458f88352f840fd80c70f54ebefbc2928f0a9e19343208b7

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 9e19607babf6d02c65b7af363c3f2ac5
SHA1 106b0f4a0d0add5a837125c2212aa0d242f868a4
SHA256 558cd1d450d62ee4e3f745dd1f1c3a6b127d4186540646303125d7b625be4cca
SHA512 ff9dbfc3ae62ff81d197a50a1d1fe35a3739455a85eebd9d866b56897047d33d1d25d561c08c4c18fe5fe46261a048d8a361f8033a3f4687b78d6dc854bd53fc

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 15:57

Reported

2024-05-19 16:00

Platform

win7-20231129-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2368 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2692 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2692 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2692 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2692 wrote to memory of 1196 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4e5fff3cdec056e923c95d1e4153b595
SHA1 bc9a7e659dfc1b7f35b5b441c848773085b21e53
SHA256 3154f7eef2e1ddf6471f36894fdb013844d60c9e2f156802d9132de4f7e855a1
SHA512 36a1594482aab2d174ccd522ffbc7fc97f461deeb3e4fdc5fbe1ce8e8f2e5490e94a158e8bc73716f9261ca92f115397ebca55c354bddc8e5cf16152e45e3bd7

\Windows\SysWOW64\omsecor.exe

MD5 17703fe2addd2e12997845ba2a5f016e
SHA1 294753dab776cbadfb86ebfaff1fed35335654aa
SHA256 e883959249ffce31167dcc92473cd4b3e6a72cfb9015d1bfec43280c8336502b
SHA512 350f004509873110c26cc26346484c6742a477cd6d02ec4af15def57dfcd631673cbc034dc10d4b05d2da56849c96ee699b08e7ff3f86260a86b96631f3c39d1

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f7115e3a437697be310e20f8829a0a2b
SHA1 eb6b45572197e8b2380daf41d953984500082ae3
SHA256 2c0f8a651a6c77a0081c09ff2c8138a6077535aa9a9a43b772acfffb33a042f8
SHA512 67ff070e02b1a0fd8ffb9076a4be3bb7a438891431fee1abffd18cba13905ba9123c8e31e5f327a498262d56118ecd04b4f97bd8dde61fb5489e0b4294b40838