Malware Analysis Report

2024-11-16 13:01

Sample ID 240519-zees1agf93
Target 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe
SHA256 c6c1b6c6b2c8b4a507d4eb4ecda9cfeb0cfb66c4dcdea0a44eb655e9d841292e
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6c1b6c6b2c8b4a507d4eb4ecda9cfeb0cfb66c4dcdea0a44eb655e9d841292e

Threat Level: Known bad

The file 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 20:37

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 20:37

Reported

2024-05-19 20:40

Platform

win7-20240419-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2288 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2288 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2288 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2292 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2292 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2292 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2292 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2636 wrote to memory of 3020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2636 wrote to memory of 3020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2636 wrote to memory of 3020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2636 wrote to memory of 3020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ce9c4280dd4ff278815e58d38638c24a
SHA1 02c2e5d37527af5281e6b358ba9d8e139de31d2c
SHA256 6540ec62a6824fd7f0085f0b5dfc71e86db5dd16c167a634f7e5367a126624ba
SHA512 34792c79b02fd9dc3aac3980a3477bfc99c3fc7f4360a7a9d2e989ffe5ce99dd96d64f5cc70906bc2cad9ef23c4723f19ce81c19e4a45db6554dda87cb0af1c6

\Windows\SysWOW64\omsecor.exe

MD5 33b0d0d54a1068a7c379e6c615772a17
SHA1 3c8431d6d51dbabf4c599b2e367e59948b44f4bf
SHA256 26fb046da3497da0c88d7b0104bfcddfb2e3971f19ff96b71d1e97fd512bf4a1
SHA512 383891758d5f1765b99e6c4b1edb46ded432b911cc6fc894535e082c95315bf6a612ed753505564e7ee6ab8f9223a4ae2fe85efe783514de46fee408697235bf

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c7df93f110b623c5beaa22b96dfe63a6
SHA1 bb47f351b89c0a0d4ce40444242327fdd6923dd3
SHA256 57c1cce8db1f3f66aaf876e4f04293f2543293511057e136c3524005b597f685
SHA512 4967bd8a8740636dca28593678f80724d9a8b54fa856abf7486a4dfa5ec984678db1b059425256b7ff6c26711f688fd89075adfdbe5bef68564d0d781608625c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 20:37

Reported

2024-05-19 20:40

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ce9c4280dd4ff278815e58d38638c24a
SHA1 02c2e5d37527af5281e6b358ba9d8e139de31d2c
SHA256 6540ec62a6824fd7f0085f0b5dfc71e86db5dd16c167a634f7e5367a126624ba
SHA512 34792c79b02fd9dc3aac3980a3477bfc99c3fc7f4360a7a9d2e989ffe5ce99dd96d64f5cc70906bc2cad9ef23c4723f19ce81c19e4a45db6554dda87cb0af1c6

C:\Windows\SysWOW64\omsecor.exe

MD5 7b154f209e4c10cfdeb5cbf3dac832d1
SHA1 de5173061ab7e3ff3331b9fc7e53269f283513f0
SHA256 7c84573635f429bd0b7d6c0a0273aceda1e2c821addd0d52ae2d06899c736801
SHA512 835163bc482a3401e7bbc36263a7a45474a49f4d4d748f2b06fcee419f4cfad31592cabd4c46300fc8514d0cb947c6d34ab2eee4a91df5cf509c54ea93b2abb3

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c5ad14a538c9584c45fb4050617364c2
SHA1 3358d50d96599810e4d0a7642e6b364fb26208de
SHA256 1c0dba80ac3a5128396476897f538cdb76208d45b3c966c6d0cdbe1688d988ac
SHA512 0b2d65d8a0d3405c64e1c78b39ae701938230d19f47146fc641736e7b9d4061e346c2f91a639b647dc09708c09c946ffbcec9e559500dd431edce6226329c931