Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-keyhsaef66
Target 228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics
SHA256 228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c

Threat Level: Known bad

The file 228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 08:31

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 08:31

Reported

2024-05-21 08:58

Platform

win7-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 956 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 956 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 956 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 956 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2240 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2240 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2240 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2240 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1904 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1904 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1904 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1904 wrote to memory of 1600 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aa5e9854c4e6355129f89f83c610c7f5
SHA1 636266bb6a266aa02c94c28e616f510cc629e4b6
SHA256 1b3b233768b6a150fcf5ba47f764048828f09cb799f7ef685a7c92939b8660ce
SHA512 56b1f97f8b703997468c6119f17cb485f4264388b2867b27ab1d7e15609e81861f942371ff6b4f998d4e01aca383df3e0f17611b161afe63357778db1bbbfe92

\Windows\SysWOW64\omsecor.exe

MD5 948279eb9a608576dc57e562fa084959
SHA1 29831bc3e35762ea5bfd72ce572c0dc525d348c6
SHA256 33247e38cad5e9f5116d115a08e45dd416598b9a7be495b0ebe2bd2b9f205576
SHA512 fd6aaecabf0fe1ef164eeb2f97bedff37088caa3aadf87cce5988ddc27d84ca1a5e55e98ccbe61eb834d33a719bbbe054471e1355963257106915f7071119fa7

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 78c73aa99888b4ee070bf9b1bee5c9d7
SHA1 a045a838979a452a23f0ef48fd2f4858f95095fd
SHA256 e24fa232fbcbd94d1901f67810c52d120cedcc604430d1e69b0ab60cdbc0ef0d
SHA512 470f13c8085c94ff81cbe521f4bcc477151e002853b6a3cdb43c1dcb25bc8d5ce91f2696506d2f75b7d67992471c948dacf2e1aff73c69695d8fa5edc6d9b241

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 08:31

Reported

2024-05-21 08:58

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aa5e9854c4e6355129f89f83c610c7f5
SHA1 636266bb6a266aa02c94c28e616f510cc629e4b6
SHA256 1b3b233768b6a150fcf5ba47f764048828f09cb799f7ef685a7c92939b8660ce
SHA512 56b1f97f8b703997468c6119f17cb485f4264388b2867b27ab1d7e15609e81861f942371ff6b4f998d4e01aca383df3e0f17611b161afe63357778db1bbbfe92

C:\Windows\SysWOW64\omsecor.exe

MD5 7c49477ee62267fcd43cc768924d6f1e
SHA1 66e0e5311aba85637db63b65c245403cdf110433
SHA256 d79710db2f749d0d234512f3c65473ebda254adc6d837e869cc68ed8ced359b0
SHA512 5b5ecd1a703b0190e2efa8fc4b065cc7283261f8952a44bf6ebf9f56df39bfd0e153ef4a6732d2c494220de6037dbcbdca3f524a1152adda45a0d29014f21f5f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 11412191c9aea90a444a60fd1269735a
SHA1 650ca2dbe0b409a9e2340813c4323e34168c2207
SHA256 eba21a9c92f2d3aa75817be8cf57b5ef981b0b2ee8be4c05909bd24f3953d3c0
SHA512 e7792c30c2aff3ac80f4d27ebda172ddb61f219d8b6204df17274d1f84998474323ced187610e2b9bb2a66291e152c36ac54b0d20638087b7baf2a03aada697d