Analysis Overview
SHA256
07bc9db7d5ea8998be8ae0783c0ccadc510866d4c953a3ded51314c0b57828aa
Threat Level: Known bad
The file 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 03:25
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 03:25
Reported
2024-05-20 03:27
Platform
win7-20240221-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7fbdf871bf91153ecff8d044ed40c37a |
| SHA1 | 7b4b0d5de867f6b6444b79580abb345785af434e |
| SHA256 | 35352d475ffe0a44217dae8569fd6b770297a0aee28b337f39ca76529051bc11 |
| SHA512 | bf950d2f0bb65cbd89dd61ef3e5bbd3cb2f357f934cb20a653069bd4a172d9f6476cd4a1a2c9f2daa8815fc94afd05b28c9de0af046ac73b5982876919956799 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 358d44aa331c69b76389328366e924ec |
| SHA1 | d99ef7c4f95a55f91ad02fac49d83b71405f2e29 |
| SHA256 | fc3d8f316613bf676f790a10763592679a4493359e69a396c3376a2b7193c857 |
| SHA512 | e7691fd4220d2a936dbc839406d67185a5e8721e1a96d08598f59e5dde2ee311be5593c3583ad1c76fb1aec40f8ede0838965bb21cfb49ed2c72f674772e12a5 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d7d6da61c3b35b9eec8ad0bd156e1a4f |
| SHA1 | e8096104d8c3828e53a5df7178a7343d915c35f0 |
| SHA256 | c0d1c815839b1c7a0dcc9d7599123f6f47e7fa4ea1acabe98f6826efbf5d774a |
| SHA512 | c56f124b1fa1ede0486400117f3002d4c2f40963ec0c351365f9a8bf7796959dc3a90a1b1997dd1df71099525654b7b078e1663a41faf63752c0855ec60e02c5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 03:25
Reported
2024-05-20 03:27
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7fbdf871bf91153ecff8d044ed40c37a |
| SHA1 | 7b4b0d5de867f6b6444b79580abb345785af434e |
| SHA256 | 35352d475ffe0a44217dae8569fd6b770297a0aee28b337f39ca76529051bc11 |
| SHA512 | bf950d2f0bb65cbd89dd61ef3e5bbd3cb2f357f934cb20a653069bd4a172d9f6476cd4a1a2c9f2daa8815fc94afd05b28c9de0af046ac73b5982876919956799 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b961e68449d82e9914c6877ec7a1a3cf |
| SHA1 | 7d05ec87c42a431482c0a72ffd0ff141e978709e |
| SHA256 | ce34ebe99f2009a3dc461c15feddf693e4644f4b093059042ecd4d6fafaa3f4e |
| SHA512 | e39e1950c3785e094697c0456c47a620a19b4d4a52b72aeed98a35ff247a721980403cd007056493deb63f200044482c79c6aef3a6c2e580d3a5fccdd64657df |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c8ab7ff887bd58e43482969667b2b41c |
| SHA1 | d2f69efab22f07d94e26e02aa6845ae4004ca60f |
| SHA256 | 733a1bac5c2f21e339512cf98c980349492630c2aa6a811bc70293bee5ff821d |
| SHA512 | 8af6876529142f1a1740d76e8c9d4ad1e0d46a6301275257a725ab8cd00ce46f7b8e6200c9606cee7ca873af0cb5e61e09b1f16741fbf5b295a6d3b6fa70767c |