Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-mcvefsfg6y
Target e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe
SHA256 0a414484d848703889fb77fbbcb497e5fb9743425bd2dce94abe5f307a8353a1
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a414484d848703889fb77fbbcb497e5fb9743425bd2dce94abe5f307a8353a1

Threat Level: Known bad

The file e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd family

Neconyd

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 10:19

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 10:19

Reported

2024-05-20 10:22

Platform

win7-20231129-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1940 wrote to memory of 1332 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 1332 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 1332 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 1332 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2232-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 07fdbbbd4d926e08644248958682c718
SHA1 dd04b05687f739af49b4c3f2feb88a1bd2a38642
SHA256 a79eb03db3da8357f1186b1fd5774db3bfcaf6eeb71b8d7b3964ed83cac0448d
SHA512 d7c4cc8a4a498f2e99e544ea24987e605f54b11039edaeabeac5d2899372535707a9431382ccf6fe49ba885a00c0a41cfe586f415a31f73158e3a2a4e0d3cc69

memory/2992-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2232-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2232-10-0x0000000000220000-0x000000000024D000-memory.dmp

memory/2232-8-0x0000000000220000-0x000000000024D000-memory.dmp

memory/2992-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2992-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2992-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2992-24-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 9dde4e5660df3407b83e5e2f72400c3e
SHA1 37ea169ff83df3305eab9679b0c3eafe8931c5d5
SHA256 be35cd3d16d0d206b498feec31fab2a49dbfafc66f908796dabf96aa23a6a411
SHA512 9f3b809ecc0258a22987d8383ec7a40cfc92b9a6905c917c8e7c6c5a5780980a6269c8cb2ba227c0c926d2d9d8ac72a38c27d7513a3926848db0d5418cd868ba

memory/2992-27-0x0000000002550000-0x000000000257D000-memory.dmp

memory/2992-34-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fc3305325edc48a10117306a641e60ab
SHA1 4f56f79c51734219bb461291575952716bd33f77
SHA256 d85596cec26409a0004e48bc87be2ec1a71f6cfcf5c256ecbd30a57651317eb7
SHA512 56b4f7ba5008a456fd92720afe332f0d557433248f2844f907a22b1672d998967a7dd7ca1a6f76a651a32f32f5bb684d6c7005092a2c85dd095bc3866c30aea0

memory/1940-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1940-45-0x00000000003B0000-0x00000000003DD000-memory.dmp

memory/1332-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1332-50-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1332-53-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 10:19

Reported

2024-05-20 10:22

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2372-1-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 07fdbbbd4d926e08644248958682c718
SHA1 dd04b05687f739af49b4c3f2feb88a1bd2a38642
SHA256 a79eb03db3da8357f1186b1fd5774db3bfcaf6eeb71b8d7b3964ed83cac0448d
SHA512 d7c4cc8a4a498f2e99e544ea24987e605f54b11039edaeabeac5d2899372535707a9431382ccf6fe49ba885a00c0a41cfe586f415a31f73158e3a2a4e0d3cc69

memory/2372-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1904-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1904-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1904-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1904-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1904-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 5e4e00f30bce6955b044415575ec3b77
SHA1 0a1a348a90f0afb1bf5b71a62e7a6ddbb22b2bb1
SHA256 24532aee4ece65cda4dd3e4181f31ed07f9615aa6950e44d030af4a443e4cc71
SHA512 43d76d486752258567e66fbd59dd10d99f74ccc98493a109c20c8564c52e87e83cd959c230a14fd5f9ec663fbc9e91504ed6a1850b4df5f0405e46c71bc3da19

memory/1904-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3780-23-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3a86badba8706b241d53fbb6038ca5c2
SHA1 4cb96dcb8ef741f8c0d13516e07c10b1be0dca2f
SHA256 4a3177b3a1f5d2268e6cb59a1cda945b6d5cd959b793e159d53318b442659509
SHA512 24dbebc85bd997ee83472b4d46ece6fc90b508de2f8ef844dc8b7d64d9adc62788774605a56db4f48b9bc16470043e3cece0643d94f974cc09af41da6a2807d8

memory/2392-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2392-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2392-32-0x0000000000400000-0x000000000042D000-memory.dmp