Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-tv1grafc8x
Target f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe
SHA256 08ec2af680d9e1a17e8a14f174f85f84e18c0d77b0ba5edfa74d0c02495e2124
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08ec2af680d9e1a17e8a14f174f85f84e18c0d77b0ba5edfa74d0c02495e2124

Threat Level: Known bad

The file f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 16:23

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 16:23

Reported

2024-05-19 16:25

Platform

win7-20240419-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1600 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1600 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1600 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3000 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3000 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3000 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3000 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1220 wrote to memory of 2412 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1220 wrote to memory of 2412 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1220 wrote to memory of 2412 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1220 wrote to memory of 2412 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1600-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7e8ade6d5357893def7071140dff6f30
SHA1 a7d883fe8e4344cf422ece5e06fbabd04627a568
SHA256 ade72ea8b9797d187e0fdb5b425620fa1d6dee780625f96e6fb552d91ff33b17
SHA512 1745702e1670f1f129be21554101aa71235df82f60d061607b6d70c0c8e484bbf6de1766de5f3d760b342beaf8f1988f7d2ab2fdfb6df3d05c6ba009f0145d40

memory/1600-4-0x0000000000230000-0x000000000025D000-memory.dmp

memory/3000-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3000-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3000-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3000-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3000-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 1886ecf7911fc45e2b01ddbb0c10ffca
SHA1 93b3fafff7f23d558492197ebd4ec2bc7b19927b
SHA256 600adc28534e98cb4737436e0601497e1f627841238ebb123c5506a69e93d7f6
SHA512 33647bac8341f6c4e2f764a1089622602b9bb4e8e1abcd56c1e49c7a3ae45eb12a7239ace446f70ca90ed392cf84bf0000baa481bf29eb7616c77a3f1b17f46c

memory/3000-26-0x0000000000290000-0x00000000002BD000-memory.dmp

memory/3000-34-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d7b126af241a909837b08f6b6518dd0c
SHA1 aff1656886a6b73ff7509456d29ac5bf56a517db
SHA256 92404d891f448b7f9918442681650a6ee7cd4cb98a58c125019b669ef6a13f83
SHA512 1f330753c898bc6339bb95c33ba74c01684d6140a53b55bae964089624465d53e2181b0fcad69e300224445887302e04b1de946a47eecdb3894fe4b6bae121a6

memory/1220-37-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2412-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2412-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2412-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 16:23

Reported

2024-05-19 16:26

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\f1443d530c33991545851fd1fc8f64d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

memory/5048-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7e8ade6d5357893def7071140dff6f30
SHA1 a7d883fe8e4344cf422ece5e06fbabd04627a568
SHA256 ade72ea8b9797d187e0fdb5b425620fa1d6dee780625f96e6fb552d91ff33b17
SHA512 1745702e1670f1f129be21554101aa71235df82f60d061607b6d70c0c8e484bbf6de1766de5f3d760b342beaf8f1988f7d2ab2fdfb6df3d05c6ba009f0145d40

memory/5048-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1492-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1492-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1492-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1492-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1492-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 fe4fa743c6f809a602615438c45d3522
SHA1 346515e9205420d1d2c911bb22ee842c29691712
SHA256 2ca41985efceed751b1ed8f214bc65c5e17923f2089b2a0602f44578e60de93b
SHA512 a2e074b50520d8a0658ad59a77b18a39b7416b1024fd72d222be08a70014eeb4a72c9926f345cab0baa8cb2b211e0f1970ba0f92c3b42c4bc0d60d6673136a47

memory/1492-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3416-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dd326c2717746f2692e70360e6b027c8
SHA1 2a7fb8cb3f5ef45a989347971a750c4605449418
SHA256 6225756162730bbd54f2f60d98d6e7a19892681f708e52d69619c215226e55a0
SHA512 f2a7a544f77287a0d106740505c6a113738e296b5ed600c565843647da81a060c77e8ae45d3bb4ba7496aede5238825dc6bee83c286790840d118b2a827a63b3

memory/3416-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3672-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3672-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3672-33-0x0000000000400000-0x000000000042D000-memory.dmp