Malware Analysis Report

2024-11-16 13:01

Sample ID 240520-lnjxesee31
Target bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe
SHA256 3cddb6eafc76ba5194f776a68411b44a9c55b2846dcf10b3ab618d3ce31e5c3f
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cddb6eafc76ba5194f776a68411b44a9c55b2846dcf10b3ab618d3ce31e5c3f

Threat Level: Known bad

The file bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 09:40

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 09:40

Reported

2024-05-20 09:43

Platform

win7-20240221-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2812 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2632 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2632 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2632 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2632 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1308 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1308 wrote to memory of 572 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a5f1f428a14291d4542031b7fc3e21a4
SHA1 7fef04a0f9b6d20aba8226e151b25a1d358b5ee5
SHA256 d4abc8cac66c4ad88b4f96cb7aa934d5cb720e68e85da090c2328509e77881fb
SHA512 4888c99b0cb3aab27742eb6897434c7c2ac10206364ca749777b09782a0dd0f39f0f53c853a73dd352b328ce141224ae4a13c7c47676c2cf9d42c5b90279e83a

\Windows\SysWOW64\omsecor.exe

MD5 ac55632bc24b5b240bc085f5a3bd7301
SHA1 cb106086736fedc5f34c8a886541ea1e9bf0402b
SHA256 1eaab479dde21111f3bce9e0d6f1003ce0fc9f2da2a2f7db87d0eeb698f1b703
SHA512 405ac9104d25657d2bcf33eeb3f0729f8dfe5c0f41c4c9f60de4b14d4437526119427d614339fb66fca8007d13e388360b991e227c097859c22f6ff44534aade

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3d8fa1dd5bb94aa011af6cbd006ce05c
SHA1 d919f82b01cbad384ed1d8a3e5c4130726bb15f3
SHA256 88dbb7c3f1ae75cf3053104a251861fbe86fee400647d8e48727fc2c81be751d
SHA512 5554dd5bdf35d156e1e3bad6615bbf317cb7fba12af88a7d79eb14f1032dab3e336faacbe75e4406fb1a408fb91a072f51ef55afa7e20887ca8701182f12da01

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 09:40

Reported

2024-05-20 09:43

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a5f1f428a14291d4542031b7fc3e21a4
SHA1 7fef04a0f9b6d20aba8226e151b25a1d358b5ee5
SHA256 d4abc8cac66c4ad88b4f96cb7aa934d5cb720e68e85da090c2328509e77881fb
SHA512 4888c99b0cb3aab27742eb6897434c7c2ac10206364ca749777b09782a0dd0f39f0f53c853a73dd352b328ce141224ae4a13c7c47676c2cf9d42c5b90279e83a

C:\Windows\SysWOW64\omsecor.exe

MD5 5259573e918621e493ffc1176e3d2677
SHA1 04b7f701fd4456adc3f0899e9d042420626b0edf
SHA256 858ac469f899393d8c705d0e8d65422d506c5e6eb67e54507e8c2e631576390e
SHA512 6eeaf484ab42a39a97b68d33b4c9f89327ddc7283a0c43b12c17308efe9f8443e24cc40d46ef358678b06ae8e6919490d122de9b760436d884c2f2586f0f59c5

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4d9848c8ce6ee6f0420571b0e876c81d
SHA1 2c37a9c4660b5aa63f425fa3a9bc5b69be3115f6
SHA256 5893c589eae13af440c13c7eced69a8a96e290cbc7fad3966f09f4ce8b86b310
SHA512 c11cc593a8771b0dd08d9f91e6e10560bb66be755cbe6220118ba13fa4df7de87655223e0c05e32da0e31214812f90815b886c4cd6667da3d07e68c8648bd956