Malware Analysis Report

2024-11-16 13:00

Sample ID 240520-msfagagf5y
Target ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe
SHA256 9b228f5f4ee4fd9ef17917cb3077f2000627dfe702c2bc0807fb70598475ed1d
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b228f5f4ee4fd9ef17917cb3077f2000627dfe702c2bc0807fb70598475ed1d

Threat Level: Known bad

The file ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 10:43

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 10:43

Reported

2024-05-20 10:45

Platform

win7-20240215-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2748 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2748 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2748 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2748 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2712 wrote to memory of 676 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2712 wrote to memory of 676 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2712 wrote to memory of 676 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2712 wrote to memory of 676 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2320-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2320-4-0x00000000002C0000-0x00000000002ED000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e563638b3afd3a95dac3a9c890c70588
SHA1 4fc18bccd20f3e47ad04e43253d29159d9854854
SHA256 22c2659fc28c6a12af7124b876e9b9cac667a66e3709fcf78b69f2d93abed1b7
SHA512 3b95180d0741fb4add56de078fc7dbfadfcae4cf4c97ac2e8ca0e65b62f71ad1c3fdac1ced216ee69cecfdb9f66bc27b47ac958486d0db05bff45a3b5a2fba65

memory/2748-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2320-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2748-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2748-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2748-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2748-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 6260d48ed46fa23e62472f5e8c80d123
SHA1 c5dc67412a062934876f4c3945df5fa828673167
SHA256 c8fe86b0d02e23c5cb86019ae12509baa1746c85dd116afef86c09176db24b0f
SHA512 125194f4cf01135a51ec3d397f57f08e6a454f062246da0c6df2b23130f1157886b9da415e7b1b057df49e2730d8adc1bf961d39e139e6b33035d32e6474cd8a

memory/2748-27-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/2748-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2712-37-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 037f4f07b1bf5c6245653e7a414c26d9
SHA1 27bd488cd1ce645d187ad9522ea0a5d404cbcc5e
SHA256 076b8f54ee3c898e620ebf0e679ff2f6977e37ad1815ec28167769ffe0bcc74f
SHA512 72da86556d0849fe63e53a8d19a0bf914603a83ff129fc55367a98e3e8767b1345356d7604ff6705c11df2fcbffe40706bb03d54dcc8eea76752ec61f7935f7e

memory/676-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/676-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/676-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 10:43

Reported

2024-05-20 10:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ebb2cf253e3847bec6cc083d983e0cd0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 udp

Files

memory/2968-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e563638b3afd3a95dac3a9c890c70588
SHA1 4fc18bccd20f3e47ad04e43253d29159d9854854
SHA256 22c2659fc28c6a12af7124b876e9b9cac667a66e3709fcf78b69f2d93abed1b7
SHA512 3b95180d0741fb4add56de078fc7dbfadfcae4cf4c97ac2e8ca0e65b62f71ad1c3fdac1ced216ee69cecfdb9f66bc27b47ac958486d0db05bff45a3b5a2fba65

memory/1688-4-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2968-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1688-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1688-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1688-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1688-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 f3159c47faf41bcc7b5540a826f3993c
SHA1 c207895db0a28dc2ded20d57b92f2898ec0ca315
SHA256 c244cbf630e091e5a75ee8ffc890caf899e716b1b3069a58e75fb8c422325b4c
SHA512 b4d625d0e1df796813535a88eaf40c3f0ed46902d79071f4ecb953de0235c964aed7e0b0e3c5d84dd5ebc94fc0fb175fced9babf851595913d7b6fde8c0f0cee

memory/3076-23-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1688-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 17c4ed132e83f5952d224fc5955b5a8b
SHA1 23e975f608b5258110b7728544c099cc4abf1e15
SHA256 64b652a736f911b94bde782dfb61087261b2c13f52c15e3b89b302c9c01106c9
SHA512 d4fc5fcb857e8bb2fd89f90e03a0669ec7a1d6dcb6a22bc1ea9ea4dc061c9ea37a6d553bee85017f17b3236fe05c0154f1b75b577fcfb04ff168fea43d6861b5

memory/2260-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2260-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2260-32-0x0000000000400000-0x000000000042D000-memory.dmp