Malware Analysis Report

2024-11-16 13:01

Sample ID 240520-dylj1aab61
Target 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe
SHA256 07bc9db7d5ea8998be8ae0783c0ccadc510866d4c953a3ded51314c0b57828aa
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07bc9db7d5ea8998be8ae0783c0ccadc510866d4c953a3ded51314c0b57828aa

Threat Level: Known bad

The file 9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 03:25

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 03:25

Reported

2024-05-20 03:27

Platform

win7-20240221-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2972 wrote to memory of 1228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 1228 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7fbdf871bf91153ecff8d044ed40c37a
SHA1 7b4b0d5de867f6b6444b79580abb345785af434e
SHA256 35352d475ffe0a44217dae8569fd6b770297a0aee28b337f39ca76529051bc11
SHA512 bf950d2f0bb65cbd89dd61ef3e5bbd3cb2f357f934cb20a653069bd4a172d9f6476cd4a1a2c9f2daa8815fc94afd05b28c9de0af046ac73b5982876919956799

\Windows\SysWOW64\omsecor.exe

MD5 358d44aa331c69b76389328366e924ec
SHA1 d99ef7c4f95a55f91ad02fac49d83b71405f2e29
SHA256 fc3d8f316613bf676f790a10763592679a4493359e69a396c3376a2b7193c857
SHA512 e7691fd4220d2a936dbc839406d67185a5e8721e1a96d08598f59e5dde2ee311be5593c3583ad1c76fb1aec40f8ede0838965bb21cfb49ed2c72f674772e12a5

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d7d6da61c3b35b9eec8ad0bd156e1a4f
SHA1 e8096104d8c3828e53a5df7178a7343d915c35f0
SHA256 c0d1c815839b1c7a0dcc9d7599123f6f47e7fa4ea1acabe98f6826efbf5d774a
SHA512 c56f124b1fa1ede0486400117f3002d4c2f40963ec0c351365f9a8bf7796959dc3a90a1b1997dd1df71099525654b7b078e1663a41faf63752c0855ec60e02c5

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 03:25

Reported

2024-05-20 03:27

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9f73b46138b08037195e76e5180649a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7fbdf871bf91153ecff8d044ed40c37a
SHA1 7b4b0d5de867f6b6444b79580abb345785af434e
SHA256 35352d475ffe0a44217dae8569fd6b770297a0aee28b337f39ca76529051bc11
SHA512 bf950d2f0bb65cbd89dd61ef3e5bbd3cb2f357f934cb20a653069bd4a172d9f6476cd4a1a2c9f2daa8815fc94afd05b28c9de0af046ac73b5982876919956799

C:\Windows\SysWOW64\omsecor.exe

MD5 b961e68449d82e9914c6877ec7a1a3cf
SHA1 7d05ec87c42a431482c0a72ffd0ff141e978709e
SHA256 ce34ebe99f2009a3dc461c15feddf693e4644f4b093059042ecd4d6fafaa3f4e
SHA512 e39e1950c3785e094697c0456c47a620a19b4d4a52b72aeed98a35ff247a721980403cd007056493deb63f200044482c79c6aef3a6c2e580d3a5fccdd64657df

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c8ab7ff887bd58e43482969667b2b41c
SHA1 d2f69efab22f07d94e26e02aa6845ae4004ca60f
SHA256 733a1bac5c2f21e339512cf98c980349492630c2aa6a811bc70293bee5ff821d
SHA512 8af6876529142f1a1740d76e8c9d4ad1e0d46a6301275257a725ab8cd00ce46f7b8e6200c9606cee7ca873af0cb5e61e09b1f16741fbf5b295a6d3b6fa70767c