Analysis Overview
SHA256
ab6318caa684c48bf04b23f3143c7d8e298c7152a564119b1c42b1d108977375
Threat Level: Known bad
The file e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 10:28
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 10:28
Reported
2024-05-20 10:30
Platform
win7-20240508-en
Max time kernel
123s
Max time network
136s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f9a4c1e2f7d24fc1e4a98a4ecc056cee |
| SHA1 | 43ff03bb9adeac13b6ce98682fb43494064cdd6c |
| SHA256 | cfb6b544eadc96cfe5af9f5447db95712c3964b83fba9a9c1a5700f7b1de569a |
| SHA512 | 0832d93a5c4073584b8b8d34bc6809671b9000bba7354116b57833f482ac937bf15623a09983efd6d7c5dcb279953ec929b8dbcdbbe1c8701eca6cf51691bf18 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 73f57ff62a2e11ca816ecafc8415a5d7 |
| SHA1 | bd1e23721d1d041fbdf3660a1c76df72d89ee10d |
| SHA256 | ce45650255822916001a1724d32f6e92484b865f884c8f64fb152c606b927b9b |
| SHA512 | c61df3b022026888e56289e1ce785f8b0f84cccd9c1e99a4a4fd20d5ad074fc8567641bc151e208c242c9c7572d90b91404cb2295590fbae2e6aee56de3e1317 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e0c8eb09d12dacceddef8b26c52cd403 |
| SHA1 | 67d2d3b807698e9d5c342fefd8b4567c3734001a |
| SHA256 | f84ec853a987625ea6ce7a07e40547a1ee508df5f1664d9600435096d472ad9e |
| SHA512 | 22f72ed3a274b919b24f03ab4b737f6c98a6e1d8a442e3a9e0150ad45ab2f31b9a52aaf46f2d4f257fee45aa5e31564ec8c1f689e9e8a9e591eb8c58e886c35a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 10:28
Reported
2024-05-20 10:30
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e8b72533c0b9c18d5eb8044a2e58e5f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f9a4c1e2f7d24fc1e4a98a4ecc056cee |
| SHA1 | 43ff03bb9adeac13b6ce98682fb43494064cdd6c |
| SHA256 | cfb6b544eadc96cfe5af9f5447db95712c3964b83fba9a9c1a5700f7b1de569a |
| SHA512 | 0832d93a5c4073584b8b8d34bc6809671b9000bba7354116b57833f482ac937bf15623a09983efd6d7c5dcb279953ec929b8dbcdbbe1c8701eca6cf51691bf18 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d0475df3623eb9a349a8977a3bd2326b |
| SHA1 | 26113ca287fbe6366fc6f444e26345c1feacf70d |
| SHA256 | a8e475bc0893cb2cea8b3feae8f0a981698aad11db50614c11f7560a7be38d38 |
| SHA512 | 0362dfe4e6aa853fdce3e0e604ae8ce01e79f416c1c8c42dd4c1cd3f08053b21b9c676b8b1b4a71e053f942131fcbeec0787e31746b26ac83aa017e3fa1c3965 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c1f059ce46a3c93c33ab90e1903489cb |
| SHA1 | f725d104ae14b030692ee21f42cb7eb190f36e05 |
| SHA256 | abd5d2b335633c6fea4990eadf02064f0f8ba429ca338749e1d8a7f19f0d6714 |
| SHA512 | ec771888969c45fc7c3bd235f26facf84944e688714fb3a1712d3b1260da61f107813e87f6375807c31d009d28602152d410cb1a2c73a7d924db3d8c786251c5 |