Analysis Overview
SHA256
8da2f608528331dbd1ddcc3500575fcb54ebeab692b5865b22166f84e18285b3
Threat Level: Known bad
The file 1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 18:44
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 18:44
Reported
2024-05-19 18:47
Platform
win7-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1964-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 48c25827d0468c208437fd2523217c7f |
| SHA1 | be7409cd8d43516fe108aa9975cce1f82f8bb4b1 |
| SHA256 | ad8565a16403aa4239029694ace79a6c4ed9939d76263fdf58acd88a1c9c2ba7 |
| SHA512 | 535ac55f9d3e4fa83a4b26219db80564a372e25347c7f0921958597bc8478f28955291d4d9d40bbf49bfd6cce44e745bfbf6e40c2b710fb7c0bdc46f6f65f1b0 |
memory/1964-9-0x0000000000220000-0x000000000024B000-memory.dmp
memory/1964-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2796-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2796-13-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 83b1d5ffcbdcac983d6eea3f46f37a42 |
| SHA1 | 8f1afdadc9d7bf4be8c0cd4945c96487c97dee43 |
| SHA256 | ad9f3b15f86394acb40ff7e6c1fab914c5a74ae6c717e0fcbf45946f74b8c43e |
| SHA512 | 0d390538e171fd4ecd9b19c1750e72af3b3d4a4aab7125ff31892e2a16e106ead92bc205e6780a51545f2ecf075798818635c0a73c80be5946b820b8f3071015 |
memory/2796-18-0x0000000000440000-0x000000000046B000-memory.dmp
memory/2796-24-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | dbe495da852b04916669af3bcf543e6d |
| SHA1 | c6ababcdc1984b7d4ab27dcdf8a9eeb4c8592a61 |
| SHA256 | 91ee4c3ee50bf1277478d019895981952f6a55faed72edd9850fd3718745e750 |
| SHA512 | 142398c4acbf34319f067996b1a8b498a2feb50989b29c4c5a25e44deadabdba95bb08d47eb6a4b151df43671b69f481cf617c4be435be6804e9f1ca8968a2b7 |
memory/1848-30-0x00000000003A0000-0x00000000003CB000-memory.dmp
memory/1848-36-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1692-38-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 18:44
Reported
2024-05-19 18:47
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1918d9b514799d520138f35cd790f970_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1528-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 48c25827d0468c208437fd2523217c7f |
| SHA1 | be7409cd8d43516fe108aa9975cce1f82f8bb4b1 |
| SHA256 | ad8565a16403aa4239029694ace79a6c4ed9939d76263fdf58acd88a1c9c2ba7 |
| SHA512 | 535ac55f9d3e4fa83a4b26219db80564a372e25347c7f0921958597bc8478f28955291d4d9d40bbf49bfd6cce44e745bfbf6e40c2b710fb7c0bdc46f6f65f1b0 |
memory/1528-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1516-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1516-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 6f99c4dd71ec20667f75a9cc6f533892 |
| SHA1 | 5ebdbe0278560852d1b50513c6a0a5250d650976 |
| SHA256 | 337b3f4a3e5722ff07c943c22e7e453b64fe23cd6d210125a24c57475874e11e |
| SHA512 | ce1e597855cba128ad23af3635361f0f7973c38dbe170282479f55bd96192256879df392da8e0b7e1e05c51976b4b3afb8149199b933945e14a40cfc8410180a |
memory/1516-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3364-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3e89e5c0df78fd2d446fe4f4f6cd3f09 |
| SHA1 | 3fb09031c2660ad56544c0e52585e7b1f97e731f |
| SHA256 | ba402fb1a953309bbc16b24d8bce2bb3848f3117904b3c291aad3e41a0ea5f3f |
| SHA512 | 2202cf1dc7b3ef2b9c8271e0e47a2570b0cf8bff7d85f68e248d382ac238e62d4117c3514627beedcceff506de98b72dbca050d37e20d5cb6949115dc0b2cae1 |
memory/3364-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4620-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4620-20-0x0000000000400000-0x000000000042B000-memory.dmp