Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-qafp3aeg57
Target 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics
SHA256 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0

Threat Level: Known bad

The file 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 13:03

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 13:03

Reported

2024-05-21 13:05

Platform

win7-20231129-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1420 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1436 wrote to memory of 1308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 1308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 1308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1436 wrote to memory of 1308 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 540b9b67841d4199b21880644c909be1
SHA1 529a68d19b90f49eeb0275660661734dd0071abc
SHA256 c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b
SHA512 18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940

\Windows\SysWOW64\omsecor.exe

MD5 f1edb95fd49dca5ec9f27787fde2ca35
SHA1 9aed74099a4475d0f09039aa8da04991ea933972
SHA256 989eaee9c21a5909f662b58cc1d8e5b28f75ef7e51de112ea146b82e673f2e29
SHA512 f9591e35f0be852527ec84916b8f8e3d73bfc3bc299ab300a93cedba9d25ad9bfe80e91fc6f0caffa3252ca2f3609ecd4ea4bf87d862d3ea4fc77fab3a9038f0

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f1ef1ec565e4c04aab8d02e739ae5810
SHA1 95493c0911870ce39dda7b1efb5b54088b798a69
SHA256 b600d3359e0b4de325f454ef121d1636c6504890c35fc33f367b01ff40ac3f99
SHA512 d5b154f9b04663ca95091bae20a60238ac0a81e7c7b140408092371a26bd9acae550618b0f07a40afe6578340641b38b2c405d49ebac6b9f8d6bb397e999b608

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 13:03

Reported

2024-05-21 13:05

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 540b9b67841d4199b21880644c909be1
SHA1 529a68d19b90f49eeb0275660661734dd0071abc
SHA256 c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b
SHA512 18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940

C:\Windows\SysWOW64\omsecor.exe

MD5 3e1bfe0f7c72511a075545cab89345b0
SHA1 5b65d67f85a690b61c4ca35defeda63f46daaac8
SHA256 44c581b5b0f1e3be311ecca6fc187dcb703879276f08dfad3d4d9def18a5e99f
SHA512 e0ccd83180044f72e638f39d3ca2eaa8ef3376eaf6684c2a9b3b2257435efaf10ee4662b3043bd10e9a34e5b8e9b2ef940f3fddb90701270f59f9e99cb4ec6c0

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 368fa73dc35e2781c17aa7679b711486
SHA1 d7cb4c5aaae645a0be50a076c87befb9f2ebda55
SHA256 4eefa189f6f7b0b3ef6939cf69407ce2d1bb5c777a84ec19bb74990819b43909
SHA512 2178bf487096903507a39dd458ca24f561ebdf74f067f36173a151dc9ea09279d7ad9891942fa2250e352cf77c97ddb44f627e1e12a089a303def6c33c47546a