Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-j9tyeaed8w
Target 20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics
SHA256 20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6

Threat Level: Known bad

The file 20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd

Neconyd family

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 08:22

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 08:22

Reported

2024-05-21 08:49

Platform

win7-20240419-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1680 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2464 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2464 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2464 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2464 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1580 wrote to memory of 1676 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1580 wrote to memory of 1676 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1580 wrote to memory of 1676 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1580 wrote to memory of 1676 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1680-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1680-9-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5860fc9fe405cdfc6dcd85471ff6e7a9
SHA1 f8f3c6aa495b7236cc96fc082b235885b858dba9
SHA256 5b2121530d461abfe216f4ddfc33aa61a0f5160c40a27aa8823992a8d0480e1f
SHA512 921829224efc49327fd92e9a4c610f434e43376040c295c4b08934c334d472c92d02cf19da9482713ac62e20b8c22316f40999da53835792ef34ccc172d5dd04

memory/2464-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2464-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2464-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2464-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2464-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 ff04463d28bdf0c3081681fa26379e57
SHA1 832063fae5ae25cdbfd95f9e77b42af32d4ff3ac
SHA256 f22293b98bd32bccdd50cfc14557ea8514d2db08b95abaa429c288ba4551d086
SHA512 1fec1b82827f57feb9da2022a85e1be52fd6499a441d2d801f8734bd1ca93736ffe89ab2ae0be2e84754029ac35819c0b95825343693019ef52174607616df00

memory/2464-25-0x00000000006C0000-0x00000000006ED000-memory.dmp

memory/2464-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1580-34-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7ca2f5992e3e2a31cde8e79236698a77
SHA1 3d57221fea2377f7c34ae8aa4a913fd3a8fb5e35
SHA256 e64cf1055c024583088b7b564c8997b2cf503c9568d141cac96988d2e0a33265
SHA512 469eb51c9ed0d6d68edd961fb8665d06dde9a2d8fcbb8d4c2cc4fedb70c7181589dc628a7c8d1fee60c617ca190661cd456db70942c7ad9e2d1163504a5d9958

memory/1580-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1676-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1676-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1676-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 08:22

Reported

2024-05-21 08:50

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\20fead5ff3e066fb4cf2a6835f6ec2aaa12f04a0ffb9485a101f7afcacef36c6_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2336-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5860fc9fe405cdfc6dcd85471ff6e7a9
SHA1 f8f3c6aa495b7236cc96fc082b235885b858dba9
SHA256 5b2121530d461abfe216f4ddfc33aa61a0f5160c40a27aa8823992a8d0480e1f
SHA512 921829224efc49327fd92e9a4c610f434e43376040c295c4b08934c334d472c92d02cf19da9482713ac62e20b8c22316f40999da53835792ef34ccc172d5dd04

memory/2336-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2724-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 ca69f9e3bbc58d0680237a15b74bfa0a
SHA1 dec84d0f77e17ace8812d7f1bd89234cae9f080e
SHA256 03d30ab267c0948b98ff792e970f98f1aefa447f0a0d2a3d15aa319d4c5b574d
SHA512 adce1ef5bf96e92aa7e468672b736e00f9600f6785770e2397d85454da616488252ade4cf4ef565a747850e7539757757e6141974253a15e11742535dea970b9

memory/2724-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4864-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2cf8e3f5566fb06827219a678ef3a06f
SHA1 253af545d5fbe82035b8d61a1592159d18c2c333
SHA256 b7a165fca1a4e84ffc3d615d95fc0b02c078ce6d1a187e8c4543210e3ab6b501
SHA512 e9e172521fc8462047ccab4d5108115d0edc727850239fc97d6ade24b1ea7847dff179bb445a9ed485714873e68ae180a15a1bef578d61fc136f530a0796de0b

memory/4864-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3488-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3488-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3488-33-0x0000000000400000-0x000000000042D000-memory.dmp