Analysis Overview
SHA256
011c059fa55493bf1821a870d89e7d6d3f5f1c45646c952f33194ca2770668a1
Threat Level: Known bad
The file d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 07:32
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 07:32
Reported
2024-05-20 07:35
Platform
win7-20240221-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2380-1-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 84230afd5a8a2644094660f014b02995 |
| SHA1 | 36e2352fdce75e7afd6300e7fc527232eb140ce4 |
| SHA256 | 78b98f9e1b0b085472a8d9c0d15b2aa44d7185859c5020b4e948cb0e72d7299c |
| SHA512 | 4a8223eff219b57af9d6e603e5aad94715ed0674d4b2f87ee05573e3cf404a4491253aebf95bc9e9ba442bd1a6884ce732ed923252dbd27c81e27365733edc98 |
memory/1932-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1932-11-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | f0de8a558bf0da95c1612eb45bc0f9bd |
| SHA1 | c603b8705697d43b2df69b73d9922d1c0b486177 |
| SHA256 | ba245ce705d200206c8e8b972a705bcb280d19e601c47acfdfe7040889e36810 |
| SHA512 | adc0f3cab1e8f0241e05b77e795d57e4097438d26581c0e38bc30f04f8be0e78e43a6f27f8c4a4de17c277f75609b3553422d06bd13e24cb63b292359435f4a2 |
memory/1932-16-0x0000000000350000-0x000000000037B000-memory.dmp
memory/1932-22-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2864-28-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6687c8cfe5fb17d8d13bfa28b78fe460 |
| SHA1 | 8c4f6ef95c1d72c1448520c2e5434ede191f4f0d |
| SHA256 | d1cc83fc18382bbb941bc2053daf37eff98f145b109d84be6994181aa8631d68 |
| SHA512 | af03707e8511da136290f7423853947661b81234b4b09915210b87156498b412334d43db57fec1559263c04e94ea0dbbd71d140f5b7f4effd3599d236b0f5cfa |
memory/2864-33-0x0000000000250000-0x000000000027B000-memory.dmp
memory/1700-36-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 07:32
Reported
2024-05-20 07:35
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1328 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1328 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1324 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1324 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1324 wrote to memory of 2616 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2cd9a9616266103c033c4cd5af543a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/1328-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1328-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1324-6-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 84230afd5a8a2644094660f014b02995 |
| SHA1 | 36e2352fdce75e7afd6300e7fc527232eb140ce4 |
| SHA256 | 78b98f9e1b0b085472a8d9c0d15b2aa44d7185859c5020b4e948cb0e72d7299c |
| SHA512 | 4a8223eff219b57af9d6e603e5aad94715ed0674d4b2f87ee05573e3cf404a4491253aebf95bc9e9ba442bd1a6884ce732ed923252dbd27c81e27365733edc98 |
memory/1324-7-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1324-11-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 13f49e4a4a81b2dfaa5471c3c897469e |
| SHA1 | f2edbb98b9fd5e4ab2bc68840ef22a5f49a746c9 |
| SHA256 | e3eac5d9abb48a6271d0b9c3f1a870fd631e630866a3b75a72725e9ee9655235 |
| SHA512 | 5e472b1fb5cb3948014bf2f8f80d1feb40a1e0ec1087f275b4c3938bb5929df170aaec2b8747269cbe82fef2d5f21c6e22d6ff77b6773b80a51d07ce053f4ae7 |
memory/2616-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a00eab46c5f0ba93984257d595e6db62 |
| SHA1 | b3850fc3e177a762cc3a8f5ee266c49967480b41 |
| SHA256 | a130fa28aadc20d9ea3ad4c2b8a24bcaefa8c5e00e50405e2696cea02885d901 |
| SHA512 | 407eb1498990ac000f69770fe21a9934f374ab330263b819adb46ef83d36ccaa1cce50f89a74526c039d4e2299101dfc162a262f2768a3190c6951b16a2917d0 |
memory/2616-14-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4404-15-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4404-16-0x0000000000400000-0x000000000042B000-memory.dmp