Analysis Overview
SHA256
2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc
Threat Level: Known bad
The file 2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 09:29
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 09:29
Reported
2024-05-21 09:32
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4092,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| BE | 2.17.107.115:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 115.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 789ad43d132970e75072f253d64cdb36 |
| SHA1 | 751ff2ab4d73974572d51801a61f850e87fac667 |
| SHA256 | ff4d1339f4d57b667cfcb22d5beb40359040cf6c93d3aea49e3cf28f66e9fa3b |
| SHA512 | 7fd2db8619ff7c68b91486e6659f1af8c2630836dcaa128abc62537b7c1973a96138e1bcbe9a4fbed3258ae243a0e555054682f486153cce7de5580e17078c47 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 85d39fee892eefa695a84cf5d7087e85 |
| SHA1 | 1c77460d00071f7f24bd13603a391b6ecda867e2 |
| SHA256 | 94f62bbace884f847bcd4d5ef1abcd3455e68aa130454d50851d2db181c008e6 |
| SHA512 | ad0cbe8df46697729699bf9bddd712c27c3385b7e28d987ac2909dc640193a963ab483663da7155bfc501ad4cfcb94062e2c734452cf3fe98529c92135320057 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 777d0248f8c1013f8198981b6ba1ffdd |
| SHA1 | 131f8b837c8e4f73246fbca2f3253925a7bf0a2d |
| SHA256 | ed20786375f8eeb254dbceabb38828d112e957c4623e11875ceafb301c2fddf2 |
| SHA512 | 925b6e4489c060b3c9f06b3d993d85615046891ccb8560ae142a9f8f479287f237c6e74c99fd6453c13f4d9be769de4c418ae3aec4e14e3fc7527cbd217ddb7b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 09:29
Reported
2024-05-21 09:31
Platform
win7-20240221-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c535b5b8e242717c64f8d1c6f39903829fb87ac086749b0ed044ba7d2e5c4fc_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 789ad43d132970e75072f253d64cdb36 |
| SHA1 | 751ff2ab4d73974572d51801a61f850e87fac667 |
| SHA256 | ff4d1339f4d57b667cfcb22d5beb40359040cf6c93d3aea49e3cf28f66e9fa3b |
| SHA512 | 7fd2db8619ff7c68b91486e6659f1af8c2630836dcaa128abc62537b7c1973a96138e1bcbe9a4fbed3258ae243a0e555054682f486153cce7de5580e17078c47 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 6964e5034544eab2ca37e619f0c4b6f2 |
| SHA1 | 522131dad7b032e5b9a5ebda06a8c7ae44bb1af3 |
| SHA256 | fe5e3f7024d41e4e0d4f73176ee8f79107687778b3b9b095cbc30f8d2e811d43 |
| SHA512 | 54cd7e58c3146e0e48c3c65ca0355bc5c33352218e32b77b650eeaae5d6acf37b15101cbd9af06016b0f0b4aa3c7fe3bbb860646c6d6c76d7f509a0ed42b91e5 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a66b058304e0a659baf63953d27f2b7f |
| SHA1 | 9144ebaaaf8fb3e971f2fabd8d48cf4b0c111767 |
| SHA256 | 4c14c5e45790dff71cce52f69a691990799f36a569be50670a773910ba26985b |
| SHA512 | e0e424fd565948a8056bde34b541dbefdce980e59d03c80dd2c45d1cd5ffd07f09db670ac90020b8907deaa34a4fc0e532676bb6e7300009596c4fef1624a218 |