Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-lf4xmagd46
Target 2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics
SHA256 2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc

Threat Level: Known bad

The file 2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 09:29

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 09:29

Reported

2024-05-21 09:32

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4092,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
BE 2.17.107.115:443 www.bing.com tcp
US 8.8.8.8:53 115.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 789ad43d132970e75072f253d64cdb36
SHA1 751ff2ab4d73974572d51801a61f850e87fac667
SHA256 ff4d1339f4d57b667cfcb22d5beb40359040cf6c93d3aea49e3cf28f66e9fa3b
SHA512 7fd2db8619ff7c68b91486e6659f1af8c2630836dcaa128abc62537b7c1973a96138e1bcbe9a4fbed3258ae243a0e555054682f486153cce7de5580e17078c47

C:\Windows\SysWOW64\omsecor.exe

MD5 85d39fee892eefa695a84cf5d7087e85
SHA1 1c77460d00071f7f24bd13603a391b6ecda867e2
SHA256 94f62bbace884f847bcd4d5ef1abcd3455e68aa130454d50851d2db181c008e6
SHA512 ad0cbe8df46697729699bf9bddd712c27c3385b7e28d987ac2909dc640193a963ab483663da7155bfc501ad4cfcb94062e2c734452cf3fe98529c92135320057

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 777d0248f8c1013f8198981b6ba1ffdd
SHA1 131f8b837c8e4f73246fbca2f3253925a7bf0a2d
SHA256 ed20786375f8eeb254dbceabb38828d112e957c4623e11875ceafb301c2fddf2
SHA512 925b6e4489c060b3c9f06b3d993d85615046891ccb8560ae142a9f8f479287f237c6e74c99fd6453c13f4d9be769de4c418ae3aec4e14e3fc7527cbd217ddb7b

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 09:29

Reported

2024-05-21 09:31

Platform

win7-20240221-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2844 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2844 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2844 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3052 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3052 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3052 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3052 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2828 wrote to memory of 2672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 2672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 2672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2828 wrote to memory of 2672 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 789ad43d132970e75072f253d64cdb36
SHA1 751ff2ab4d73974572d51801a61f850e87fac667
SHA256 ff4d1339f4d57b667cfcb22d5beb40359040cf6c93d3aea49e3cf28f66e9fa3b
SHA512 7fd2db8619ff7c68b91486e6659f1af8c2630836dcaa128abc62537b7c1973a96138e1bcbe9a4fbed3258ae243a0e555054682f486153cce7de5580e17078c47

\Windows\SysWOW64\omsecor.exe

MD5 6964e5034544eab2ca37e619f0c4b6f2
SHA1 522131dad7b032e5b9a5ebda06a8c7ae44bb1af3
SHA256 fe5e3f7024d41e4e0d4f73176ee8f79107687778b3b9b095cbc30f8d2e811d43
SHA512 54cd7e58c3146e0e48c3c65ca0355bc5c33352218e32b77b650eeaae5d6acf37b15101cbd9af06016b0f0b4aa3c7fe3bbb860646c6d6c76d7f509a0ed42b91e5

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a66b058304e0a659baf63953d27f2b7f
SHA1 9144ebaaaf8fb3e971f2fabd8d48cf4b0c111767
SHA256 4c14c5e45790dff71cce52f69a691990799f36a569be50670a773910ba26985b
SHA512 e0e424fd565948a8056bde34b541dbefdce980e59d03c80dd2c45d1cd5ffd07f09db670ac90020b8907deaa34a4fc0e532676bb6e7300009596c4fef1624a218