Analysis Overview
SHA256
a7938f49caef03c60b55d5d71e1673c67537f8ad1c64744ee615dd83bea11b8e
Threat Level: Known bad
The file 3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 21:22
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 21:22
Reported
2024-05-19 21:25
Platform
win7-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c16c23cb422e27e6288b2e9795b13c69 |
| SHA1 | 64330f456ed162c016ed4f184022d3bab5aff088 |
| SHA256 | f0c01af3149a18f869ab44b4ba73461c013c18c60505eab2eecdd5fc060543b6 |
| SHA512 | dac7840b0148627db36ab23fede7e02cc8296930baebf89667243279bd5b272b71a10636641a282521a0add78442da0d5789fc481da915ba1f6944b26ed1f4bb |
\Windows\SysWOW64\omsecor.exe
| MD5 | 60ee484a10ee4f8ea5e8fab8305aeef8 |
| SHA1 | 3f73a8abcdd9ea51bc33b1404e57d6e92aa14d33 |
| SHA256 | c5077413784f6757d3dacc97f0380ee5c908a13eeabb04726ef5e480d7d7ed84 |
| SHA512 | 78388d4e92ec68d7ab497c89589489807b1d5fa183c51a116a8b7f44b5e4035402effa60f77d1b66d34550d8bc7c583cd264757d8d3e32e64cf152f6a95a09f9 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d1309edc22952e245c3c610668b9ad0c |
| SHA1 | 8a0274c1fb6979773a3a61c040bbaa06440c26d6 |
| SHA256 | c8b349f88ae43b0d2a1c01cf191ee990c8e6e5dfd859d7de4a40c8ec74092bf3 |
| SHA512 | a4782cd5d576cd79857b820813dc81143b930163e34debaffbefcd0fefcc79d95d5a21cd520fc1741472caba50be1c568021bcfaa606376530c409a565c5b661 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 21:22
Reported
2024-05-19 21:25
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3d0b3b6e5fd1fc7c2c71c954e69b60b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c16c23cb422e27e6288b2e9795b13c69 |
| SHA1 | 64330f456ed162c016ed4f184022d3bab5aff088 |
| SHA256 | f0c01af3149a18f869ab44b4ba73461c013c18c60505eab2eecdd5fc060543b6 |
| SHA512 | dac7840b0148627db36ab23fede7e02cc8296930baebf89667243279bd5b272b71a10636641a282521a0add78442da0d5789fc481da915ba1f6944b26ed1f4bb |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 37523b60fd94ef3b783fb1fc33d12ba4 |
| SHA1 | c2abb44bea434c2aad6b7470889dd2d7a1758e94 |
| SHA256 | 278aa43c80dd3cb5393532b6b0648c4d201cf1abab0009ae1d27235d88a08860 |
| SHA512 | 91e60e92f4c87cd961953b98fa8695f78c19647198ff52900e2f0e17524d34c0988b8f52e3710db8b8b0505acf2436388f6b33d3804a2ac948f633a25bd67473 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d878db040db9df6428f7bf8e39797aaf |
| SHA1 | 5fe04fb5c3967f32c6432c0ab61362e98cbede80 |
| SHA256 | a8e1bdb08f7d9ef82901f4d1853d9887722b4a5c29595d589c5a2088efbfe50a |
| SHA512 | 67c3ee0235820ff09aeec299be67cbd10dee4ecf6d0b5ba7536ee6a6487289605b4f6e94276253a73cc58b266355f071f3dcfa3fc237b58128f21940e26bed71 |