Malware Analysis Report

2024-11-16 12:59

Sample ID 240521-nbxc4abe5s
Target 3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics
SHA256 3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0

Threat Level: Known bad

The file 3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 11:13

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 11:13

Reported

2024-05-21 11:16

Platform

win7-20240508-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2176 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2176 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2176 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2472 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2472 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2472 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2472 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2788 wrote to memory of 2948 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2788 wrote to memory of 2948 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2788 wrote to memory of 2948 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2788 wrote to memory of 2948 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e7aa48748fb6209da07eddea39f05a83
SHA1 5903409201b588cd9d9ba8b03e748dfc17674a42
SHA256 c5ea7fd8fd0f01205c4625153ae1965ce2c72803d5c39b6003022141890326a6
SHA512 bb38ff8d53a0460ad877e1f5efac395c7855db3d0debf870d00bf0e763c8c73fed7543bb497126c5c35330f7296c8438b7fa4ba6d06591c4c0ec0b994e59debf

\Windows\SysWOW64\omsecor.exe

MD5 bd127c24fc26f35351bcb9cc702e6659
SHA1 e249c1a141ccd4be428f92515d00921521cde9c5
SHA256 14f8d0e6eae9722fb62d29d100580261afc9f6955cd94b002bb81a788b643486
SHA512 40cac1939647906d22f0077910f7062eee0f5ea36b312705f582c247208a0f70849542f726c3814e0d27a0c90153342c8e083edf45ae86ae5c0fa60d5b95ab23

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 55d92e2e871b5387f13f893222629209
SHA1 b31c5d817d42c6af922e5dca6b9be9e6a8b5f514
SHA256 9f3ce948b3e589c9536f937ba0660bf0180cf0224b990a6af70cecad4c623c00
SHA512 5c837311802e5b980a988ffbd09a9dafc4dfc131437371c81434f76cd81eab16f96ff500e60934c5bd9330dbacb7027a4f749c529c7c435188892aee8d3f93ea

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 11:13

Reported

2024-05-21 11:16

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e7aa48748fb6209da07eddea39f05a83
SHA1 5903409201b588cd9d9ba8b03e748dfc17674a42
SHA256 c5ea7fd8fd0f01205c4625153ae1965ce2c72803d5c39b6003022141890326a6
SHA512 bb38ff8d53a0460ad877e1f5efac395c7855db3d0debf870d00bf0e763c8c73fed7543bb497126c5c35330f7296c8438b7fa4ba6d06591c4c0ec0b994e59debf

C:\Windows\SysWOW64\omsecor.exe

MD5 0fd7d8ad3be24207d89c9223b7464de8
SHA1 6b8fa4911db85753a8412f6bd52245b521394094
SHA256 a4a89d4b328abce92a66639be05adebeb09ed6e83d1c5e4f12c5bb48a487e317
SHA512 8086199c0198c294c885b485d2ac4de7ad30373b9c080808257ce8cf9b9f428f7c9d8ecfe70625b44966473fe07f5c1abfe8b5dd6d361a27ed0fcfbbbc64fa4f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c88e885c751b1155dd2436c7fcf55302
SHA1 dd4b9f2c81aebf3ea1509b39887b7f34b55d706b
SHA256 8293d008981d7120f8614814d8400235a201c6ea2a9dab129a3549ba3db6d8ce
SHA512 0293fd6f3995ad0fc9fcaab185d5dc0ba05c3ef7049450894c051ca2277e8d66e99e2fda9d64f63fc9e0e3493c09408253d1bd5d60131bd40d73ee1d36732fef