Analysis Overview
SHA256
58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2
Threat Level: Known bad
The file 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 13:48
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 13:48
Reported
2024-05-21 13:51
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2336-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2336-11-0x00000000002B0000-0x00000000002DD000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aa0e450021dfba3816c1a7ffd49778f1 |
| SHA1 | 0f89d7867dda58b71d655e6742dcbceb624f2f97 |
| SHA256 | 251b86da5a2b3f77c16022d2cb2db5ce2744a4878c5c5e5c672eb8cc13512112 |
| SHA512 | 7909175c217c6f165953f2a0ddeddf680d37f040893f3a22db237a36bfb572784a81a599d66d9e9e6f448f8aaa8c6251a7f73aa142f2d6bf66b3826bd752cecb |
memory/1720-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2336-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2336-9-0x00000000002B0000-0x00000000002DD000-memory.dmp
memory/1720-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2336-17-0x00000000002B0000-0x00000000002DD000-memory.dmp
memory/1720-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1720-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1720-25-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | b989196a22ed937acbe7cd09aff837c6 |
| SHA1 | fd2d15007870c85009a7e912ee30bccc5e277229 |
| SHA256 | 0011463ef4d602dc1797524bd446c8c3669b95c674b3e7a4ee57f1804dd6bd2a |
| SHA512 | 915661cd21eeafbf2d9c7e57fbae1774f83832b002ce96d9deed7fa527413d205d5b8618a63710494f096b688944c6e1df365f24ae7f8df18008a79a3453dab7 |
memory/1720-28-0x0000000000290000-0x00000000002BD000-memory.dmp
memory/1720-35-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1944-39-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | daae0bd3a744b8cb3d6dc8f4581068d1 |
| SHA1 | f0df3073ae46ba16758772e6a74f4033ee29a89d |
| SHA256 | b13ae3f16c1b0a3b6e435de305356c572d2374ab62ed0a30af32fc80f231996c |
| SHA512 | 66a29984809dfc4769808f8664c7b94b00b5da5cfb016cbdafa392c6aabf12c6d9aa46c0d86309f936bc905331bae7523f864aa2a6c65c33b3a2e0bb3a2f67f2 |
memory/1980-49-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1944-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1980-51-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1980-54-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 13:48
Reported
2024-05-21 13:51
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/4908-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4908-4-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | aa0e450021dfba3816c1a7ffd49778f1 |
| SHA1 | 0f89d7867dda58b71d655e6742dcbceb624f2f97 |
| SHA256 | 251b86da5a2b3f77c16022d2cb2db5ce2744a4878c5c5e5c672eb8cc13512112 |
| SHA512 | 7909175c217c6f165953f2a0ddeddf680d37f040893f3a22db237a36bfb572784a81a599d66d9e9e6f448f8aaa8c6251a7f73aa142f2d6bf66b3826bd752cecb |
memory/3448-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3448-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3448-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3448-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3448-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3448-19-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | afd47c8b67af58e6495f5e35bc9be509 |
| SHA1 | 3b6279ff289f74058b6ebd32fa1d6792a663e912 |
| SHA256 | bd8a3058177f99dbcd71c62d717c54641924bd4fed27328c5ddac15503e235a7 |
| SHA512 | ecede43d156c130de6183fa3e4b4fe8812234bafa997822706b4969f00065466948d43f4cd0e5a217efe92a09cf3384b6b80c61342c0d2f7bed37cd144ae75aa |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e97e58d59ac8737a9e79a1bf9e15ba62 |
| SHA1 | 5a2482ec30493f308806bed2822fdebb76116023 |
| SHA256 | 5ba798732b03500f29f85b2f1f5764b5188c2915a7ebc20de1c3c735f618fe0e |
| SHA512 | 56016af279477e77313e44cab498803da487ee20a707fdc90127322eeef5d8ec2b540138892efe324daf3448658fcefa63cd1c02eda4b08af349e3277770eac3 |
memory/4388-24-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2968-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2968-28-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2968-31-0x0000000000400000-0x000000000042D000-memory.dmp