Malware Analysis Report

2024-11-16 13:01

Sample ID 240521-kkcs9seh9y
Target 23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics
SHA256 23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251

Threat Level: Known bad

The file 23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 08:39

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 08:39

Reported

2024-05-21 08:57

Platform

win7-20240508-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1724 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1724 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1724 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2120 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2120 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1920 wrote to memory of 1908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 1908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 1908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 1908 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6729049df9dcdf60d1a4b2d66185d9ee
SHA1 8e3cebbac162379787c43942a49fda1173bf60cf
SHA256 f9f9421b8036812e1789e90181b7ecd141f5edb4b22303a334da65114e7c1647
SHA512 2b6025253c3b0086fe52ee6e4739f7660542d2625b5f7f8c58c033b4c9526dabf64de95485408cfec464e172010f6cc43032d43b04dfc05c90fa522dd9547f9f

\Windows\SysWOW64\omsecor.exe

MD5 e1f44d968699d94721ed8e7f6eafd746
SHA1 e2916b01a796eea7ace5a15c15ed0274dae75a0d
SHA256 cccb5393401b9850592127d9cb70ec52ac3b608835f34ea4be7413c4082995b9
SHA512 29e3f536d3a28f91b253b2890e72246d8fec8d26bfc102692e7ebde3569ae8820c5b1688df381300518f29f6c739126a94aa8f1ee6b6ad466443d3248f92fc4b

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 ed42e04bbc91e242425fb0290364afae
SHA1 6f4f36da9c731b5807b3bdc2db1fcd2a025749b4
SHA256 a2bcf69e13b842404078ed2ff6a6b3c06114a9258c5a77bfe497746e5e0c0d42
SHA512 6ae84123618b1d13ba62b506205a1dc8e532d10328b6fb1526508988b81ca0b89326f9a05669f70f51b5eb1f976b39ec972b49f9a3894d0b0e723560165333fa

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 08:39

Reported

2024-05-21 08:57

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\23c9f115e1cea35f9dd8a3609da4ae3bb397b29fab8f1a15933fc8ac9d971251_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 6729049df9dcdf60d1a4b2d66185d9ee
SHA1 8e3cebbac162379787c43942a49fda1173bf60cf
SHA256 f9f9421b8036812e1789e90181b7ecd141f5edb4b22303a334da65114e7c1647
SHA512 2b6025253c3b0086fe52ee6e4739f7660542d2625b5f7f8c58c033b4c9526dabf64de95485408cfec464e172010f6cc43032d43b04dfc05c90fa522dd9547f9f

C:\Windows\SysWOW64\omsecor.exe

MD5 cf20a9e88a1857bbc4186a314bb8fe12
SHA1 889257cc86223361931696f329f8268faf5b1949
SHA256 a42988bfff8980b44687cf84be061ee3cbd427f016da40557118e85df314526c
SHA512 c2e54ac1ff6298d388cdebbbc3d33b4404d0e03d95ac4bf15387b81cf85b3a6e769e0e3e1b447e0acd3bff454d66a530099c256c0fb023848998c09f3dde166f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3d6960b3e990aa0751aa6048a6729482
SHA1 7931824a1234bc6f4053b287d4f630cce8accbd2
SHA256 0e8e94b6fce6e9f21ae23fcbcde14760ea6ccf0fe04df12c154109cb980237ce
SHA512 7eb2846b896edeea23950dd5f9a93acc161fcc53283bf79955fc75a02637baa2ef66e70d7dec97380b234954f2ec6733abc3d51130bcd541dd59bc80fecd4988