Analysis Overview
SHA256
aa69c0e2a0bfc94d014b1fa0fac463d2c4db3b1998a19ac546f6124c2f0eeebe
Threat Level: Known bad
The file 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 00:37
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 00:37
Reported
2024-05-20 00:39
Platform
win7-20240419-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/2220-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 20e8bed9e68c38b88094f5f83c479997 |
| SHA1 | 2d9dd064010a88b0eb2e4064306d03471c61f9b7 |
| SHA256 | 8334c2c133b872ef3dfa01f8bed531f1f6c7b1d26478206925018bba2e7237b6 |
| SHA512 | f009588cba82af36b7f50fd7adee641d802c676c2b025d7f35f2479e519bad9f87a9bbfe74941468677398f0159876211d950606c1eba6c49ef67dc1e69674a0 |
memory/2120-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2220-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2120-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | fe0a4105723cc43552e5f41bf64ebe51 |
| SHA1 | 83bb927ea6500c603fefd3959f2d8d18cf31aecc |
| SHA256 | 19729763b77dd061dd94f74dd78073d16a2bfa7493bdda4fcb45e932e28a1485 |
| SHA512 | 13faca7c45499833e11e4acd26118657b45a45bb1158df4adeb9534cd4ec932302a2a6153568ac481067b6abdfdacd8871335478ffe3cdf2c5ca0b70910656f6 |
memory/2120-17-0x0000000000370000-0x000000000039A000-memory.dmp
memory/2120-24-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2276-25-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f3bb2cb15f052ef337541416e2b818df |
| SHA1 | 854174c27427c16ffcb21d94ae7199b870a97dc9 |
| SHA256 | 93ec7342cc4f1ea4dc2d18fc986c23151b7ebf48436d8dcf9eb47bd1a555783e |
| SHA512 | c9484dd7bd1d2d8a80e49aab5ecc90eb60924f9246bbd5e09f2d88b77778b84b9b0429ad64ebb4f6215994237fc24fcd5556e18541d2847f99fe3efe7ba79764 |
memory/2276-34-0x00000000003A0000-0x00000000003CA000-memory.dmp
memory/2276-35-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1956-37-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2276-39-0x00000000003A0000-0x00000000003CA000-memory.dmp
memory/1956-40-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 00:37
Reported
2024-05-20 00:40
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 84.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/404-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3792-4-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 20e8bed9e68c38b88094f5f83c479997 |
| SHA1 | 2d9dd064010a88b0eb2e4064306d03471c61f9b7 |
| SHA256 | 8334c2c133b872ef3dfa01f8bed531f1f6c7b1d26478206925018bba2e7237b6 |
| SHA512 | f009588cba82af36b7f50fd7adee641d802c676c2b025d7f35f2479e519bad9f87a9bbfe74941468677398f0159876211d950606c1eba6c49ef67dc1e69674a0 |
memory/404-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3792-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 83a8bd93fb1a307b2058e272d55983e9 |
| SHA1 | 23ff5e278f0a6d7157058cd78a94cb540e6a2129 |
| SHA256 | 31924652140324fbbe7d011630d11504438e8aca83bcc9ea67d166b489b6be39 |
| SHA512 | 44cd40eb0ae3bd9f4a1ba24f1ab437fbb9a65cfd1aec00cd07c9194677d07a7c96426c0b4ea178b0e8465acfb76e0c9fde8e7552f031973c3370702af0388aff |
memory/3792-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2052-13-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 72e02c826aaa25e83f6649c02ec3c895 |
| SHA1 | 828f1dba0a2a12df7402544a604066b6a10ac6e5 |
| SHA256 | 005e45f3f2c1e553117497a629e793cac4a8eca8a077490da7b1bebce94d0beb |
| SHA512 | 9c562d8cc968caee269294cfa44b13bda9ab53e67dc12ce571b6a9b4647703a8315ed233885bea76aa9ddcb942f4273dd4992ac5f5f0332e0b192fc77638755c |
memory/2052-17-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2896-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2896-20-0x0000000000400000-0x000000000042A000-memory.dmp