Analysis Overview
SHA256
2caab932d8930e900fe8c88f3802505e79e2d0d59bd1d420feb2222bdc68cb05
Threat Level: Known bad
The file aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 04:18
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 04:18
Reported
2024-05-20 04:21
Platform
win7-20240221-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 495c130f882705049903606f970ec4c0 |
| SHA1 | 666953aef41b81aa4896362ec85e0065f37cf4f9 |
| SHA256 | 9658aadb231c62de3ed5ea0f7f9c77edb6541964be96252e59ab600a7eba16f5 |
| SHA512 | b6db103a743dfb5bd3dccdb053a4b2d75348d2a5ce8196b22812987cdf78f483d05734e457edd38fe15cea86dc08de625969c135a1e7239cf3a4d6171f29198f |
\Windows\SysWOW64\omsecor.exe
| MD5 | 9257a70066fa238f3350b6cef692cb74 |
| SHA1 | 719ed791f370d70db834796c2975297cac446d9f |
| SHA256 | 7b3b4a37f408608c7eca3e41b42d52180c35359ad4ea1edcee59c89dfd904156 |
| SHA512 | d7b43d474fea8575443e704125dac6966a77ea62565b8a105d0fdf4681483011dab146a16e6a26d4451e5e1ce03026e0e588f33fd198dad23d27a231c90ccdc8 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a165baf30f0b198487f30e660c0fd156 |
| SHA1 | ae251ff3b8fe3e50380654fff54642126ec5c052 |
| SHA256 | ee3396b41e4d3901383402bdd56a165979cce617af4bf8dcb7844f59b549680c |
| SHA512 | 1f908421f5c1bb1f3630937265a5ecd27fc62b5d77c7329d938f295e1d8684ee86cc1141940bbe660dec45e75638fdfb44090186e43b7c34d00a5be5cccdc695 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 04:18
Reported
2024-05-20 04:21
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aa8ba803152da70d5a426f82e0f3e200_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 495c130f882705049903606f970ec4c0 |
| SHA1 | 666953aef41b81aa4896362ec85e0065f37cf4f9 |
| SHA256 | 9658aadb231c62de3ed5ea0f7f9c77edb6541964be96252e59ab600a7eba16f5 |
| SHA512 | b6db103a743dfb5bd3dccdb053a4b2d75348d2a5ce8196b22812987cdf78f483d05734e457edd38fe15cea86dc08de625969c135a1e7239cf3a4d6171f29198f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 911380773498707632a5e733145ed4a1 |
| SHA1 | aebef8cdc74e818424be57d316eb39fe4e897b51 |
| SHA256 | d3b5ee12ce81d0d3942217d2822f45697163838fac635a3bb1f4799ed384bd35 |
| SHA512 | 7d0945239bb128a91b7a43c3fdbd78b4a2cf5b4cdd521d599f0d4642b082f4f66fb1c31449be3163fff48f55782f223707c223428981691f88a6649af6856b9a |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 74aa86ee0cb281f2667c11459a0836ea |
| SHA1 | 6d14abd37bbdcb56009bb748b0cde82af37e8863 |
| SHA256 | d78a63d33e80e0c9f3e97b649448f6a3de705739326f13f477bff92428b0a454 |
| SHA512 | 617816f73cad9580b51fa720c1e7e82051cfd7eb3caeb2ca52df741e077a5982090ebc2b514fea707f180107f518e171907e99424d6071054becafb54db1ad97 |