Malware Analysis Report

2024-11-16 13:00

Sample ID 240519-z79h3saf41
Target 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe
SHA256 a7938f49caef03c60b55d5d71e1673c67537f8ad1c64744ee615dd83bea11b8e
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7938f49caef03c60b55d5d71e1673c67537f8ad1c64744ee615dd83bea11b8e

Threat Level: Known bad

The file 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 21:22

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 21:22

Reported

2024-05-19 21:25

Platform

win7-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1700 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1700 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1700 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1684 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1684 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1684 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1684 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1556 wrote to memory of 1816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1556 wrote to memory of 1816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1556 wrote to memory of 1816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1556 wrote to memory of 1816 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c16c23cb422e27e6288b2e9795b13c69
SHA1 64330f456ed162c016ed4f184022d3bab5aff088
SHA256 f0c01af3149a18f869ab44b4ba73461c013c18c60505eab2eecdd5fc060543b6
SHA512 dac7840b0148627db36ab23fede7e02cc8296930baebf89667243279bd5b272b71a10636641a282521a0add78442da0d5789fc481da915ba1f6944b26ed1f4bb

\Windows\SysWOW64\omsecor.exe

MD5 60ee484a10ee4f8ea5e8fab8305aeef8
SHA1 3f73a8abcdd9ea51bc33b1404e57d6e92aa14d33
SHA256 c5077413784f6757d3dacc97f0380ee5c908a13eeabb04726ef5e480d7d7ed84
SHA512 78388d4e92ec68d7ab497c89589489807b1d5fa183c51a116a8b7f44b5e4035402effa60f77d1b66d34550d8bc7c583cd264757d8d3e32e64cf152f6a95a09f9

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d1309edc22952e245c3c610668b9ad0c
SHA1 8a0274c1fb6979773a3a61c040bbaa06440c26d6
SHA256 c8b349f88ae43b0d2a1c01cf191ee990c8e6e5dfd859d7de4a40c8ec74092bf3
SHA512 a4782cd5d576cd79857b820813dc81143b930163e34debaffbefcd0fefcc79d95d5a21cd520fc1741472caba50be1c568021bcfaa606376530c409a565c5b661

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 21:22

Reported

2024-05-19 21:25

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c16c23cb422e27e6288b2e9795b13c69
SHA1 64330f456ed162c016ed4f184022d3bab5aff088
SHA256 f0c01af3149a18f869ab44b4ba73461c013c18c60505eab2eecdd5fc060543b6
SHA512 dac7840b0148627db36ab23fede7e02cc8296930baebf89667243279bd5b272b71a10636641a282521a0add78442da0d5789fc481da915ba1f6944b26ed1f4bb

C:\Windows\SysWOW64\omsecor.exe

MD5 37523b60fd94ef3b783fb1fc33d12ba4
SHA1 c2abb44bea434c2aad6b7470889dd2d7a1758e94
SHA256 278aa43c80dd3cb5393532b6b0648c4d201cf1abab0009ae1d27235d88a08860
SHA512 91e60e92f4c87cd961953b98fa8695f78c19647198ff52900e2f0e17524d34c0988b8f52e3710db8b8b0505acf2436388f6b33d3804a2ac948f633a25bd67473

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d878db040db9df6428f7bf8e39797aaf
SHA1 5fe04fb5c3967f32c6432c0ab61362e98cbede80
SHA256 a8e1bdb08f7d9ef82901f4d1853d9887722b4a5c29595d589c5a2088efbfe50a
SHA512 67c3ee0235820ff09aeec299be67cbd10dee4ecf6d0b5ba7536ee6a6487289605b4f6e94276253a73cc58b266355f071f3dcfa3fc237b58128f21940e26bed71