Analysis Overview
SHA256
13473a8ea2c2ef9ff7e052c636da90019ae5dd2c5213f5a98bfd78831f224e87
Threat Level: Known bad
The file eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 15:57
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 15:57
Reported
2024-05-19 16:00
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
135s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| BE | 2.17.107.130:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 130.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4e5fff3cdec056e923c95d1e4153b595 |
| SHA1 | bc9a7e659dfc1b7f35b5b441c848773085b21e53 |
| SHA256 | 3154f7eef2e1ddf6471f36894fdb013844d60c9e2f156802d9132de4f7e855a1 |
| SHA512 | 36a1594482aab2d174ccd522ffbc7fc97f461deeb3e4fdc5fbe1ce8e8f2e5490e94a158e8bc73716f9261ca92f115397ebca55c354bddc8e5cf16152e45e3bd7 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 1ab0e7ada645552ad0638fec17a5327f |
| SHA1 | a2ca38911519f4795a59da504ae223128fbea811 |
| SHA256 | 3482bbeb935402bb77cd9ec0d6f664dcd473e3a8668d42e8dfc2d6af635652f8 |
| SHA512 | 4876b4983eda25405322cef741fd9e5d2ca544a8f4ab92bda0f5fa5f726e0b25d16346b5b4642d6a458f88352f840fd80c70f54ebefbc2928f0a9e19343208b7 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 9e19607babf6d02c65b7af363c3f2ac5 |
| SHA1 | 106b0f4a0d0add5a837125c2212aa0d242f868a4 |
| SHA256 | 558cd1d450d62ee4e3f745dd1f1c3a6b127d4186540646303125d7b625be4cca |
| SHA512 | ff9dbfc3ae62ff81d197a50a1d1fe35a3739455a85eebd9d866b56897047d33d1d25d561c08c4c18fe5fe46261a048d8a361f8033a3f4687b78d6dc854bd53fc |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 15:57
Reported
2024-05-19 16:00
Platform
win7-20231129-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\eb1e83c18cc7a8366a0fbe64d952bf60_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4e5fff3cdec056e923c95d1e4153b595 |
| SHA1 | bc9a7e659dfc1b7f35b5b441c848773085b21e53 |
| SHA256 | 3154f7eef2e1ddf6471f36894fdb013844d60c9e2f156802d9132de4f7e855a1 |
| SHA512 | 36a1594482aab2d174ccd522ffbc7fc97f461deeb3e4fdc5fbe1ce8e8f2e5490e94a158e8bc73716f9261ca92f115397ebca55c354bddc8e5cf16152e45e3bd7 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 17703fe2addd2e12997845ba2a5f016e |
| SHA1 | 294753dab776cbadfb86ebfaff1fed35335654aa |
| SHA256 | e883959249ffce31167dcc92473cd4b3e6a72cfb9015d1bfec43280c8336502b |
| SHA512 | 350f004509873110c26cc26346484c6742a477cd6d02ec4af15def57dfcd631673cbc034dc10d4b05d2da56849c96ee699b08e7ff3f86260a86b96631f3c39d1 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f7115e3a437697be310e20f8829a0a2b |
| SHA1 | eb6b45572197e8b2380daf41d953984500082ae3 |
| SHA256 | 2c0f8a651a6c77a0081c09ff2c8138a6077535aa9a9a43b772acfffb33a042f8 |
| SHA512 | 67ff070e02b1a0fd8ffb9076a4be3bb7a438891431fee1abffd18cba13905ba9123c8e31e5f327a498262d56118ecd04b4f97bd8dde61fb5489e0b4294b40838 |