Analysis Overview
SHA256
3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0
Threat Level: Known bad
The file 3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 11:13
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 11:13
Reported
2024-05-21 11:16
Platform
win7-20240508-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e7aa48748fb6209da07eddea39f05a83 |
| SHA1 | 5903409201b588cd9d9ba8b03e748dfc17674a42 |
| SHA256 | c5ea7fd8fd0f01205c4625153ae1965ce2c72803d5c39b6003022141890326a6 |
| SHA512 | bb38ff8d53a0460ad877e1f5efac395c7855db3d0debf870d00bf0e763c8c73fed7543bb497126c5c35330f7296c8438b7fa4ba6d06591c4c0ec0b994e59debf |
\Windows\SysWOW64\omsecor.exe
| MD5 | bd127c24fc26f35351bcb9cc702e6659 |
| SHA1 | e249c1a141ccd4be428f92515d00921521cde9c5 |
| SHA256 | 14f8d0e6eae9722fb62d29d100580261afc9f6955cd94b002bb81a788b643486 |
| SHA512 | 40cac1939647906d22f0077910f7062eee0f5ea36b312705f582c247208a0f70849542f726c3814e0d27a0c90153342c8e083edf45ae86ae5c0fa60d5b95ab23 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 55d92e2e871b5387f13f893222629209 |
| SHA1 | b31c5d817d42c6af922e5dca6b9be9e6a8b5f514 |
| SHA256 | 9f3ce948b3e589c9536f937ba0660bf0180cf0224b990a6af70cecad4c623c00 |
| SHA512 | 5c837311802e5b980a988ffbd09a9dafc4dfc131437371c81434f76cd81eab16f96ff500e60934c5bd9330dbacb7027a4f749c529c7c435188892aee8d3f93ea |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 11:13
Reported
2024-05-21 11:16
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3daf830fc3cf7e4b3b90eaa6ef590efd60cf79fdae68f258a76001d9b05344d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 131.253.33.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e7aa48748fb6209da07eddea39f05a83 |
| SHA1 | 5903409201b588cd9d9ba8b03e748dfc17674a42 |
| SHA256 | c5ea7fd8fd0f01205c4625153ae1965ce2c72803d5c39b6003022141890326a6 |
| SHA512 | bb38ff8d53a0460ad877e1f5efac395c7855db3d0debf870d00bf0e763c8c73fed7543bb497126c5c35330f7296c8438b7fa4ba6d06591c4c0ec0b994e59debf |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 0fd7d8ad3be24207d89c9223b7464de8 |
| SHA1 | 6b8fa4911db85753a8412f6bd52245b521394094 |
| SHA256 | a4a89d4b328abce92a66639be05adebeb09ed6e83d1c5e4f12c5bb48a487e317 |
| SHA512 | 8086199c0198c294c885b485d2ac4de7ad30373b9c080808257ce8cf9b9f428f7c9d8ecfe70625b44966473fe07f5c1abfe8b5dd6d361a27ed0fcfbbbc64fa4f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c88e885c751b1155dd2436c7fcf55302 |
| SHA1 | dd4b9f2c81aebf3ea1509b39887b7f34b55d706b |
| SHA256 | 8293d008981d7120f8614814d8400235a201c6ea2a9dab129a3549ba3db6d8ce |
| SHA512 | 0293fd6f3995ad0fc9fcaab185d5dc0ba05c3ef7049450894c051ca2277e8d66e99e2fda9d64f63fc9e0e3493c09408253d1bd5d60131bd40d73ee1d36732fef |