Analysis Overview
SHA256
228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c
Threat Level: Known bad
The file 228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 08:31
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 08:31
Reported
2024-05-21 08:58
Platform
win7-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aa5e9854c4e6355129f89f83c610c7f5 |
| SHA1 | 636266bb6a266aa02c94c28e616f510cc629e4b6 |
| SHA256 | 1b3b233768b6a150fcf5ba47f764048828f09cb799f7ef685a7c92939b8660ce |
| SHA512 | 56b1f97f8b703997468c6119f17cb485f4264388b2867b27ab1d7e15609e81861f942371ff6b4f998d4e01aca383df3e0f17611b161afe63357778db1bbbfe92 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 948279eb9a608576dc57e562fa084959 |
| SHA1 | 29831bc3e35762ea5bfd72ce572c0dc525d348c6 |
| SHA256 | 33247e38cad5e9f5116d115a08e45dd416598b9a7be495b0ebe2bd2b9f205576 |
| SHA512 | fd6aaecabf0fe1ef164eeb2f97bedff37088caa3aadf87cce5988ddc27d84ca1a5e55e98ccbe61eb834d33a719bbbe054471e1355963257106915f7071119fa7 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 78c73aa99888b4ee070bf9b1bee5c9d7 |
| SHA1 | a045a838979a452a23f0ef48fd2f4858f95095fd |
| SHA256 | e24fa232fbcbd94d1901f67810c52d120cedcc604430d1e69b0ab60cdbc0ef0d |
| SHA512 | 470f13c8085c94ff81cbe521f4bcc477151e002853b6a3cdb43c1dcb25bc8d5ce91f2696506d2f75b7d67992471c948dacf2e1aff73c69695d8fa5edc6d9b241 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 08:31
Reported
2024-05-21 08:58
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\228ee0146df5d8e9a048765c19b798da68504acd8d2f5740ddc1d7479cbce04c_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aa5e9854c4e6355129f89f83c610c7f5 |
| SHA1 | 636266bb6a266aa02c94c28e616f510cc629e4b6 |
| SHA256 | 1b3b233768b6a150fcf5ba47f764048828f09cb799f7ef685a7c92939b8660ce |
| SHA512 | 56b1f97f8b703997468c6119f17cb485f4264388b2867b27ab1d7e15609e81861f942371ff6b4f998d4e01aca383df3e0f17611b161afe63357778db1bbbfe92 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7c49477ee62267fcd43cc768924d6f1e |
| SHA1 | 66e0e5311aba85637db63b65c245403cdf110433 |
| SHA256 | d79710db2f749d0d234512f3c65473ebda254adc6d837e869cc68ed8ced359b0 |
| SHA512 | 5b5ecd1a703b0190e2efa8fc4b065cc7283261f8952a44bf6ebf9f56df39bfd0e153ef4a6732d2c494220de6037dbcbdca3f524a1152adda45a0d29014f21f5f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 11412191c9aea90a444a60fd1269735a |
| SHA1 | 650ca2dbe0b409a9e2340813c4323e34168c2207 |
| SHA256 | eba21a9c92f2d3aa75817be8cf57b5ef981b0b2ee8be4c05909bd24f3953d3c0 |
| SHA512 | e7792c30c2aff3ac80f4d27ebda172ddb61f219d8b6204df17274d1f84998474323ced187610e2b9bb2a66291e152c36ac54b0d20638087b7baf2a03aada697d |