Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-mhn5mafd22
Target e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe
SHA256 ab6318caa684c48bf04b23f3143c7d8e298c7152a564119b1c42b1d108977375
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab6318caa684c48bf04b23f3143c7d8e298c7152a564119b1c42b1d108977375

Threat Level: Known bad

The file e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 10:28

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 10:28

Reported

2024-05-20 10:30

Platform

win7-20240508-en

Max time kernel

123s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2136 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2136 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2136 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2136 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1480 wrote to memory of 1508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1480 wrote to memory of 1508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1480 wrote to memory of 1508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1480 wrote to memory of 1508 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f9a4c1e2f7d24fc1e4a98a4ecc056cee
SHA1 43ff03bb9adeac13b6ce98682fb43494064cdd6c
SHA256 cfb6b544eadc96cfe5af9f5447db95712c3964b83fba9a9c1a5700f7b1de569a
SHA512 0832d93a5c4073584b8b8d34bc6809671b9000bba7354116b57833f482ac937bf15623a09983efd6d7c5dcb279953ec929b8dbcdbbe1c8701eca6cf51691bf18

\Windows\SysWOW64\omsecor.exe

MD5 73f57ff62a2e11ca816ecafc8415a5d7
SHA1 bd1e23721d1d041fbdf3660a1c76df72d89ee10d
SHA256 ce45650255822916001a1724d32f6e92484b865f884c8f64fb152c606b927b9b
SHA512 c61df3b022026888e56289e1ce785f8b0f84cccd9c1e99a4a4fd20d5ad074fc8567641bc151e208c242c9c7572d90b91404cb2295590fbae2e6aee56de3e1317

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e0c8eb09d12dacceddef8b26c52cd403
SHA1 67d2d3b807698e9d5c342fefd8b4567c3734001a
SHA256 f84ec853a987625ea6ce7a07e40547a1ee508df5f1664d9600435096d472ad9e
SHA512 22f72ed3a274b919b24f03ab4b737f6c98a6e1d8a442e3a9e0150ad45ab2f31b9a52aaf46f2d4f257fee45aa5e31564ec8c1f689e9e8a9e591eb8c58e886c35a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 10:28

Reported

2024-05-20 10:30

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f9a4c1e2f7d24fc1e4a98a4ecc056cee
SHA1 43ff03bb9adeac13b6ce98682fb43494064cdd6c
SHA256 cfb6b544eadc96cfe5af9f5447db95712c3964b83fba9a9c1a5700f7b1de569a
SHA512 0832d93a5c4073584b8b8d34bc6809671b9000bba7354116b57833f482ac937bf15623a09983efd6d7c5dcb279953ec929b8dbcdbbe1c8701eca6cf51691bf18

C:\Windows\SysWOW64\omsecor.exe

MD5 d0475df3623eb9a349a8977a3bd2326b
SHA1 26113ca287fbe6366fc6f444e26345c1feacf70d
SHA256 a8e475bc0893cb2cea8b3feae8f0a981698aad11db50614c11f7560a7be38d38
SHA512 0362dfe4e6aa853fdce3e0e604ae8ce01e79f416c1c8c42dd4c1cd3f08053b21b9c676b8b1b4a71e053f942131fcbeec0787e31746b26ac83aa017e3fa1c3965

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c1f059ce46a3c93c33ab90e1903489cb
SHA1 f725d104ae14b030692ee21f42cb7eb190f36e05
SHA256 abd5d2b335633c6fea4990eadf02064f0f8ba429ca338749e1d8a7f19f0d6714
SHA512 ec771888969c45fc7c3bd235f26facf84944e688714fb3a1712d3b1260da61f107813e87f6375807c31d009d28602152d410cb1a2c73a7d924db3d8c786251c5