Malware Analysis Report

2024-11-16 13:01

Sample ID 240520-ayppwabe91
Target 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe
SHA256 aa69c0e2a0bfc94d014b1fa0fac463d2c4db3b1998a19ac546f6124c2f0eeebe
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa69c0e2a0bfc94d014b1fa0fac463d2c4db3b1998a19ac546f6124c2f0eeebe

Threat Level: Known bad

The file 706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 00:37

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 00:37

Reported

2024-05-20 00:39

Platform

win7-20240419-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2220 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2120 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2276 wrote to memory of 1956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 1956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 1956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 1956 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2220-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 20e8bed9e68c38b88094f5f83c479997
SHA1 2d9dd064010a88b0eb2e4064306d03471c61f9b7
SHA256 8334c2c133b872ef3dfa01f8bed531f1f6c7b1d26478206925018bba2e7237b6
SHA512 f009588cba82af36b7f50fd7adee641d802c676c2b025d7f35f2479e519bad9f87a9bbfe74941468677398f0159876211d950606c1eba6c49ef67dc1e69674a0

memory/2120-11-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2220-8-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2120-12-0x0000000000400000-0x000000000042A000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 fe0a4105723cc43552e5f41bf64ebe51
SHA1 83bb927ea6500c603fefd3959f2d8d18cf31aecc
SHA256 19729763b77dd061dd94f74dd78073d16a2bfa7493bdda4fcb45e932e28a1485
SHA512 13faca7c45499833e11e4acd26118657b45a45bb1158df4adeb9534cd4ec932302a2a6153568ac481067b6abdfdacd8871335478ffe3cdf2c5ca0b70910656f6

memory/2120-17-0x0000000000370000-0x000000000039A000-memory.dmp

memory/2120-24-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2276-25-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f3bb2cb15f052ef337541416e2b818df
SHA1 854174c27427c16ffcb21d94ae7199b870a97dc9
SHA256 93ec7342cc4f1ea4dc2d18fc986c23151b7ebf48436d8dcf9eb47bd1a555783e
SHA512 c9484dd7bd1d2d8a80e49aab5ecc90eb60924f9246bbd5e09f2d88b77778b84b9b0429ad64ebb4f6215994237fc24fcd5556e18541d2847f99fe3efe7ba79764

memory/2276-34-0x00000000003A0000-0x00000000003CA000-memory.dmp

memory/2276-35-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1956-37-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2276-39-0x00000000003A0000-0x00000000003CA000-memory.dmp

memory/1956-40-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 00:37

Reported

2024-05-20 00:40

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\706c96ef2f50e22a23524c700d8788a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 84.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/404-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3792-4-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 20e8bed9e68c38b88094f5f83c479997
SHA1 2d9dd064010a88b0eb2e4064306d03471c61f9b7
SHA256 8334c2c133b872ef3dfa01f8bed531f1f6c7b1d26478206925018bba2e7237b6
SHA512 f009588cba82af36b7f50fd7adee641d802c676c2b025d7f35f2479e519bad9f87a9bbfe74941468677398f0159876211d950606c1eba6c49ef67dc1e69674a0

memory/404-5-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3792-7-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 83a8bd93fb1a307b2058e272d55983e9
SHA1 23ff5e278f0a6d7157058cd78a94cb540e6a2129
SHA256 31924652140324fbbe7d011630d11504438e8aca83bcc9ea67d166b489b6be39
SHA512 44cd40eb0ae3bd9f4a1ba24f1ab437fbb9a65cfd1aec00cd07c9194677d07a7c96426c0b4ea178b0e8465acfb76e0c9fde8e7552f031973c3370702af0388aff

memory/3792-11-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2052-13-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 72e02c826aaa25e83f6649c02ec3c895
SHA1 828f1dba0a2a12df7402544a604066b6a10ac6e5
SHA256 005e45f3f2c1e553117497a629e793cac4a8eca8a077490da7b1bebce94d0beb
SHA512 9c562d8cc968caee269294cfa44b13bda9ab53e67dc12ce571b6a9b4647703a8315ed233885bea76aa9ddcb942f4273dd4992ac5f5f0332e0b192fc77638755c

memory/2052-17-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2896-18-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2896-20-0x0000000000400000-0x000000000042A000-memory.dmp