Analysis Overview
SHA256
23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251
Threat Level: Known bad
The file 23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 08:39
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 08:39
Reported
2024-05-21 08:57
Platform
win7-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6729049df9dcdf60d1a4b2d66185d9ee |
| SHA1 | 8e3cebbac162379787c43942a49fda1173bf60cf |
| SHA256 | f9f9421b8036812e1789e90181b7ecd141f5edb4b22303a334da65114e7c1647 |
| SHA512 | 2b6025253c3b0086fe52ee6e4739f7660542d2625b5f7f8c58c033b4c9526dabf64de95485408cfec464e172010f6cc43032d43b04dfc05c90fa522dd9547f9f |
\Windows\SysWOW64\omsecor.exe
| MD5 | e1f44d968699d94721ed8e7f6eafd746 |
| SHA1 | e2916b01a796eea7ace5a15c15ed0274dae75a0d |
| SHA256 | cccb5393401b9850592127d9cb70ec52ac3b608835f34ea4be7413c4082995b9 |
| SHA512 | 29e3f536d3a28f91b253b2890e72246d8fec8d26bfc102692e7ebde3569ae8820c5b1688df381300518f29f6c739126a94aa8f1ee6b6ad466443d3248f92fc4b |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ed42e04bbc91e242425fb0290364afae |
| SHA1 | 6f4f36da9c731b5807b3bdc2db1fcd2a025749b4 |
| SHA256 | a2bcf69e13b842404078ed2ff6a6b3c06114a9258c5a77bfe497746e5e0c0d42 |
| SHA512 | 6ae84123618b1d13ba62b506205a1dc8e532d10328b6fb1526508988b81ca0b89326f9a05669f70f51b5eb1f976b39ec972b49f9a3894d0b0e723560165333fa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 08:39
Reported
2024-05-21 08:57
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6729049df9dcdf60d1a4b2d66185d9ee |
| SHA1 | 8e3cebbac162379787c43942a49fda1173bf60cf |
| SHA256 | f9f9421b8036812e1789e90181b7ecd141f5edb4b22303a334da65114e7c1647 |
| SHA512 | 2b6025253c3b0086fe52ee6e4739f7660542d2625b5f7f8c58c033b4c9526dabf64de95485408cfec464e172010f6cc43032d43b04dfc05c90fa522dd9547f9f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | cf20a9e88a1857bbc4186a314bb8fe12 |
| SHA1 | 889257cc86223361931696f329f8268faf5b1949 |
| SHA256 | a42988bfff8980b44687cf84be061ee3cbd427f016da40557118e85df314526c |
| SHA512 | c2e54ac1ff6298d388cdebbbc3d33b4404d0e03d95ac4bf15387b81cf85b3a6e769e0e3e1b447e0acd3bff454d66a530099c256c0fb023848998c09f3dde166f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3d6960b3e990aa0751aa6048a6729482 |
| SHA1 | 7931824a1234bc6f4053b287d4f630cce8accbd2 |
| SHA256 | 0e8e94b6fce6e9f21ae23fcbcde14760ea6ccf0fe04df12c154109cb980237ce |
| SHA512 | 7eb2846b896edeea23950dd5f9a93acc161fcc53283bf79955fc75a02637baa2ef66e70d7dec97380b234954f2ec6733abc3d51130bcd541dd59bc80fecd4988 |