Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-q4jzksgb8s
Target 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics
SHA256 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2

Threat Level: Known bad

The file 58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 13:48

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 13:48

Reported

2024-05-21 13:51

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2336 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2336 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2336 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1720 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1720 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1720 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1720 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1944 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1944 wrote to memory of 1980 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2336-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2336-11-0x00000000002B0000-0x00000000002DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aa0e450021dfba3816c1a7ffd49778f1
SHA1 0f89d7867dda58b71d655e6742dcbceb624f2f97
SHA256 251b86da5a2b3f77c16022d2cb2db5ce2744a4878c5c5e5c672eb8cc13512112
SHA512 7909175c217c6f165953f2a0ddeddf680d37f040893f3a22db237a36bfb572784a81a599d66d9e9e6f448f8aaa8c6251a7f73aa142f2d6bf66b3826bd752cecb

memory/1720-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2336-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2336-9-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/1720-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2336-17-0x00000000002B0000-0x00000000002DD000-memory.dmp

memory/1720-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1720-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1720-25-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 b989196a22ed937acbe7cd09aff837c6
SHA1 fd2d15007870c85009a7e912ee30bccc5e277229
SHA256 0011463ef4d602dc1797524bd446c8c3669b95c674b3e7a4ee57f1804dd6bd2a
SHA512 915661cd21eeafbf2d9c7e57fbae1774f83832b002ce96d9deed7fa527413d205d5b8618a63710494f096b688944c6e1df365f24ae7f8df18008a79a3453dab7

memory/1720-28-0x0000000000290000-0x00000000002BD000-memory.dmp

memory/1720-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1944-39-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 daae0bd3a744b8cb3d6dc8f4581068d1
SHA1 f0df3073ae46ba16758772e6a74f4033ee29a89d
SHA256 b13ae3f16c1b0a3b6e435de305356c572d2374ab62ed0a30af32fc80f231996c
SHA512 66a29984809dfc4769808f8664c7b94b00b5da5cfb016cbdafa392c6aabf12c6d9aa46c0d86309f936bc905331bae7523f864aa2a6c65c33b3a2e0bb3a2f67f2

memory/1980-49-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1944-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1980-51-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1980-54-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 13:48

Reported

2024-05-21 13:51

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\58efcf20523a4fffcc4fdc229f2323a52ef0b1a355d713606702f1a7308cccb2_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
IE 52.111.236.23:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/4908-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4908-4-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aa0e450021dfba3816c1a7ffd49778f1
SHA1 0f89d7867dda58b71d655e6742dcbceb624f2f97
SHA256 251b86da5a2b3f77c16022d2cb2db5ce2744a4878c5c5e5c672eb8cc13512112
SHA512 7909175c217c6f165953f2a0ddeddf680d37f040893f3a22db237a36bfb572784a81a599d66d9e9e6f448f8aaa8c6251a7f73aa142f2d6bf66b3826bd752cecb

memory/3448-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3448-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3448-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3448-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3448-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3448-19-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 afd47c8b67af58e6495f5e35bc9be509
SHA1 3b6279ff289f74058b6ebd32fa1d6792a663e912
SHA256 bd8a3058177f99dbcd71c62d717c54641924bd4fed27328c5ddac15503e235a7
SHA512 ecede43d156c130de6183fa3e4b4fe8812234bafa997822706b4969f00065466948d43f4cd0e5a217efe92a09cf3384b6b80c61342c0d2f7bed37cd144ae75aa

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e97e58d59ac8737a9e79a1bf9e15ba62
SHA1 5a2482ec30493f308806bed2822fdebb76116023
SHA256 5ba798732b03500f29f85b2f1f5764b5188c2915a7ebc20de1c3c735f618fe0e
SHA512 56016af279477e77313e44cab498803da487ee20a707fdc90127322eeef5d8ec2b540138892efe324daf3448658fcefa63cd1c02eda4b08af349e3277770eac3

memory/4388-24-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2968-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2968-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2968-31-0x0000000000400000-0x000000000042D000-memory.dmp