Analysis Overview
SHA256
0a414484d848703889fb77fbbcb497e5fb9743425bd2dce94abe5f307a8353a1
Threat Level: Known bad
The file e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 10:19
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 10:19
Reported
2024-05-20 10:22
Platform
win7-20231129-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2232-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 07fdbbbd4d926e08644248958682c718 |
| SHA1 | dd04b05687f739af49b4c3f2feb88a1bd2a38642 |
| SHA256 | a79eb03db3da8357f1186b1fd5774db3bfcaf6eeb71b8d7b3964ed83cac0448d |
| SHA512 | d7c4cc8a4a498f2e99e544ea24987e605f54b11039edaeabeac5d2899372535707a9431382ccf6fe49ba885a00c0a41cfe586f415a31f73158e3a2a4e0d3cc69 |
memory/2992-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2232-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2232-10-0x0000000000220000-0x000000000024D000-memory.dmp
memory/2232-8-0x0000000000220000-0x000000000024D000-memory.dmp
memory/2992-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2992-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2992-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2992-24-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 9dde4e5660df3407b83e5e2f72400c3e |
| SHA1 | 37ea169ff83df3305eab9679b0c3eafe8931c5d5 |
| SHA256 | be35cd3d16d0d206b498feec31fab2a49dbfafc66f908796dabf96aa23a6a411 |
| SHA512 | 9f3b809ecc0258a22987d8383ec7a40cfc92b9a6905c917c8e7c6c5a5780980a6269c8cb2ba227c0c926d2d9d8ac72a38c27d7513a3926848db0d5418cd868ba |
memory/2992-27-0x0000000002550000-0x000000000257D000-memory.dmp
memory/2992-34-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fc3305325edc48a10117306a641e60ab |
| SHA1 | 4f56f79c51734219bb461291575952716bd33f77 |
| SHA256 | d85596cec26409a0004e48bc87be2ec1a71f6cfcf5c256ecbd30a57651317eb7 |
| SHA512 | 56b4f7ba5008a456fd92720afe332f0d557433248f2844f907a22b1672d998967a7dd7ca1a6f76a651a32f32f5bb684d6c7005092a2c85dd095bc3866c30aea0 |
memory/1940-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1940-45-0x00000000003B0000-0x00000000003DD000-memory.dmp
memory/1332-48-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1332-50-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1332-53-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 10:19
Reported
2024-05-20 10:22
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e6e85280c32c67b3cbf2173a45634660_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2372-1-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 07fdbbbd4d926e08644248958682c718 |
| SHA1 | dd04b05687f739af49b4c3f2feb88a1bd2a38642 |
| SHA256 | a79eb03db3da8357f1186b1fd5774db3bfcaf6eeb71b8d7b3964ed83cac0448d |
| SHA512 | d7c4cc8a4a498f2e99e544ea24987e605f54b11039edaeabeac5d2899372535707a9431382ccf6fe49ba885a00c0a41cfe586f415a31f73158e3a2a4e0d3cc69 |
memory/2372-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5e4e00f30bce6955b044415575ec3b77 |
| SHA1 | 0a1a348a90f0afb1bf5b71a62e7a6ddbb22b2bb1 |
| SHA256 | 24532aee4ece65cda4dd3e4181f31ed07f9615aa6950e44d030af4a443e4cc71 |
| SHA512 | 43d76d486752258567e66fbd59dd10d99f74ccc98493a109c20c8564c52e87e83cd959c230a14fd5f9ec663fbc9e91504ed6a1850b4df5f0405e46c71bc3da19 |
memory/1904-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3780-23-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3a86badba8706b241d53fbb6038ca5c2 |
| SHA1 | 4cb96dcb8ef741f8c0d13516e07c10b1be0dca2f |
| SHA256 | 4a3177b3a1f5d2268e6cb59a1cda945b6d5cd959b793e159d53318b442659509 |
| SHA512 | 24dbebc85bd997ee83472b4d46ece6fc90b508de2f8ef844dc8b7d64d9adc62788774605a56db4f48b9bc16470043e3cece0643d94f974cc09af41da6a2807d8 |
memory/2392-27-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2392-29-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2392-32-0x0000000000400000-0x000000000042D000-memory.dmp