Analysis Overview
SHA256
c6c1b6c6b2c8b4a507d4eb4ecda9cfeb0cfb66c4dcdea0a44eb655e9d841292e
Threat Level: Known bad
The file 33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-19 20:37
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 20:37
Reported
2024-05-19 20:40
Platform
win7-20240419-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ce9c4280dd4ff278815e58d38638c24a |
| SHA1 | 02c2e5d37527af5281e6b358ba9d8e139de31d2c |
| SHA256 | 6540ec62a6824fd7f0085f0b5dfc71e86db5dd16c167a634f7e5367a126624ba |
| SHA512 | 34792c79b02fd9dc3aac3980a3477bfc99c3fc7f4360a7a9d2e989ffe5ce99dd96d64f5cc70906bc2cad9ef23c4723f19ce81c19e4a45db6554dda87cb0af1c6 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 33b0d0d54a1068a7c379e6c615772a17 |
| SHA1 | 3c8431d6d51dbabf4c599b2e367e59948b44f4bf |
| SHA256 | 26fb046da3497da0c88d7b0104bfcddfb2e3971f19ff96b71d1e97fd512bf4a1 |
| SHA512 | 383891758d5f1765b99e6c4b1edb46ded432b911cc6fc894535e082c95315bf6a612ed753505564e7ee6ab8f9223a4ae2fe85efe783514de46fee408697235bf |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c7df93f110b623c5beaa22b96dfe63a6 |
| SHA1 | bb47f351b89c0a0d4ce40444242327fdd6923dd3 |
| SHA256 | 57c1cce8db1f3f66aaf876e4f04293f2543293511057e136c3524005b597f685 |
| SHA512 | 4967bd8a8740636dca28593678f80724d9a8b54fa856abf7486a4dfa5ec984678db1b059425256b7ff6c26711f688fd89075adfdbe5bef68564d0d781608625c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 20:37
Reported
2024-05-19 20:40
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33853b1d020011dc876783e07d8b7230_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ce9c4280dd4ff278815e58d38638c24a |
| SHA1 | 02c2e5d37527af5281e6b358ba9d8e139de31d2c |
| SHA256 | 6540ec62a6824fd7f0085f0b5dfc71e86db5dd16c167a634f7e5367a126624ba |
| SHA512 | 34792c79b02fd9dc3aac3980a3477bfc99c3fc7f4360a7a9d2e989ffe5ce99dd96d64f5cc70906bc2cad9ef23c4723f19ce81c19e4a45db6554dda87cb0af1c6 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7b154f209e4c10cfdeb5cbf3dac832d1 |
| SHA1 | de5173061ab7e3ff3331b9fc7e53269f283513f0 |
| SHA256 | 7c84573635f429bd0b7d6c0a0273aceda1e2c821addd0d52ae2d06899c736801 |
| SHA512 | 835163bc482a3401e7bbc36263a7a45474a49f4d4d748f2b06fcee419f4cfad31592cabd4c46300fc8514d0cb947c6d34ab2eee4a91df5cf509c54ea93b2abb3 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c5ad14a538c9584c45fb4050617364c2 |
| SHA1 | 3358d50d96599810e4d0a7642e6b364fb26208de |
| SHA256 | 1c0dba80ac3a5128396476897f538cdb76208d45b3c966c6d0cdbe1688d988ac |
| SHA512 | 0b2d65d8a0d3405c64e1c78b39ae701938230d19f47146fc641736e7b9d4061e346c2f91a639b647dc09708c09c946ffbcec9e559500dd431edce6226329c931 |