Analysis Overview
SHA256
3cddb6eafc76ba5194f776a68411b44a9c55b2846dcf10b3ab618d3ce31e5c3f
Threat Level: Known bad
The file bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 09:40
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 09:40
Reported
2024-05-20 09:43
Platform
win7-20240221-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a5f1f428a14291d4542031b7fc3e21a4 |
| SHA1 | 7fef04a0f9b6d20aba8226e151b25a1d358b5ee5 |
| SHA256 | d4abc8cac66c4ad88b4f96cb7aa934d5cb720e68e85da090c2328509e77881fb |
| SHA512 | 4888c99b0cb3aab27742eb6897434c7c2ac10206364ca749777b09782a0dd0f39f0f53c853a73dd352b328ce141224ae4a13c7c47676c2cf9d42c5b90279e83a |
\Windows\SysWOW64\omsecor.exe
| MD5 | ac55632bc24b5b240bc085f5a3bd7301 |
| SHA1 | cb106086736fedc5f34c8a886541ea1e9bf0402b |
| SHA256 | 1eaab479dde21111f3bce9e0d6f1003ce0fc9f2da2a2f7db87d0eeb698f1b703 |
| SHA512 | 405ac9104d25657d2bcf33eeb3f0729f8dfe5c0f41c4c9f60de4b14d4437526119427d614339fb66fca8007d13e388360b991e227c097859c22f6ff44534aade |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3d8fa1dd5bb94aa011af6cbd006ce05c |
| SHA1 | d919f82b01cbad384ed1d8a3e5c4130726bb15f3 |
| SHA256 | 88dbb7c3f1ae75cf3053104a251861fbe86fee400647d8e48727fc2c81be751d |
| SHA512 | 5554dd5bdf35d156e1e3bad6615bbf317cb7fba12af88a7d79eb14f1032dab3e336faacbe75e4406fb1a408fb91a072f51ef55afa7e20887ca8701182f12da01 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 09:40
Reported
2024-05-20 09:43
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bde2456b4af6893faf7b20b252151e17_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a5f1f428a14291d4542031b7fc3e21a4 |
| SHA1 | 7fef04a0f9b6d20aba8226e151b25a1d358b5ee5 |
| SHA256 | d4abc8cac66c4ad88b4f96cb7aa934d5cb720e68e85da090c2328509e77881fb |
| SHA512 | 4888c99b0cb3aab27742eb6897434c7c2ac10206364ca749777b09782a0dd0f39f0f53c853a73dd352b328ce141224ae4a13c7c47676c2cf9d42c5b90279e83a |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5259573e918621e493ffc1176e3d2677 |
| SHA1 | 04b7f701fd4456adc3f0899e9d042420626b0edf |
| SHA256 | 858ac469f899393d8c705d0e8d65422d506c5e6eb67e54507e8c2e631576390e |
| SHA512 | 6eeaf484ab42a39a97b68d33b4c9f89327ddc7283a0c43b12c17308efe9f8443e24cc40d46ef358678b06ae8e6919490d122de9b760436d884c2f2586f0f59c5 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4d9848c8ce6ee6f0420571b0e876c81d |
| SHA1 | 2c37a9c4660b5aa63f425fa3a9bc5b69be3115f6 |
| SHA256 | 5893c589eae13af440c13c7eced69a8a96e290cbc7fad3966f09f4ce8b86b310 |
| SHA512 | c11cc593a8771b0dd08d9f91e6e10560bb66be755cbe6220118ba13fa4df7de87655223e0c05e32da0e31214812f90815b886c4cd6667da3d07e68c8648bd956 |