Analysis Overview
SHA256
e73eaeafa6e84acb88b422d6e340f5da99a13e64b3e2616fa444e5129faf86a8
Threat Level: Known bad
The file b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 04:45
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 04:45
Reported
2024-05-20 04:47
Platform
win7-20240221-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 87a34cd5cbff2557af7ddfb672e3b2fa |
| SHA1 | b723170993ab887d205a4f8da695395c2b24889d |
| SHA256 | b497f0117e0f4fd2d6f76749480d13798e35029a58d7e7bd9c594c35ad2cedb1 |
| SHA512 | 6499deab1a8d5106917559402f15c3fbd9fbaed11b8257443bab20b443c3436db1dba3035326f7a90d817afe3d94c06e7d53db212cf3658df09181332aacb579 |
\Windows\SysWOW64\omsecor.exe
| MD5 | c79035d95bf6c0d3d7e8370651b24e49 |
| SHA1 | f1238cbf29c9151fb5df59b30270cdf10e99bbb3 |
| SHA256 | a61e2b7ba21b979115149e4053d16b68208e0aec56009c18e383db307dd61db8 |
| SHA512 | 02f188889822a134058ac8a09ff88face1610a2700ad76d6e2f72091f1ca09e22f0c0f5305fa4ff6b027fca7c1da28ed3da14fd0cd25ef076bc735d56a00d356 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 720e279f2e6f6aff51c9193add0ac6a2 |
| SHA1 | 2568cc8769b9d0effd735eb25fdfdaba278a2975 |
| SHA256 | 0c69ab57d833e6a3645153a6656257e5130f0f1d233d7526bf267725e01b20e4 |
| SHA512 | 6b157331cb3651766d0228fa57316052e53d324b5e2e653af5a8b93cbf93bbbdbdbb5d6c9717d8b3ded1bdae6c815bf8c1ebefdf7a450f0a78439025b34c53d0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 04:45
Reported
2024-05-20 04:48
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b09a521906d1eed8c0989d0f2e9e75b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| BE | 2.17.107.98:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 98.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 87a34cd5cbff2557af7ddfb672e3b2fa |
| SHA1 | b723170993ab887d205a4f8da695395c2b24889d |
| SHA256 | b497f0117e0f4fd2d6f76749480d13798e35029a58d7e7bd9c594c35ad2cedb1 |
| SHA512 | 6499deab1a8d5106917559402f15c3fbd9fbaed11b8257443bab20b443c3436db1dba3035326f7a90d817afe3d94c06e7d53db212cf3658df09181332aacb579 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | fd01891cfcf022bbf245744d90a3e451 |
| SHA1 | 454691a7464b9db7be8cc420f799887df58d9875 |
| SHA256 | 64509b5009bb1ebf4d82a8284058d9c899c3c0b6df843755b58691ebe76e0419 |
| SHA512 | cdce6763cce128ae0a49d2cecaa966e054eef6ecbf1c915bc17b8d2b2f54e632158fbadc7f5bc2d0a0b415ce07855b46d42a94a9c68d95383d2d43055bd470e9 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 46d9678b4487e84c516b34e71a4029d7 |
| SHA1 | 74884c7f09c0fe1f6a171c58555cd19f192d6450 |
| SHA256 | cf8b28f90832105463531dad6751cf038ee50ebe35d838432294238342444e8f |
| SHA512 | 46c1ec87ccc2eae539d0a6d0255373dd61cd209ac99927f4f063a916db22b9561d40c5fb5997a391eae6e07d4c4c5f36556878793104d7b2081b4700a333e215 |