Analysis Overview
SHA256
50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0
Threat Level: Known bad
The file 50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 13:03
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 13:03
Reported
2024-05-21 13:05
Platform
win7-20231129-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 540b9b67841d4199b21880644c909be1 |
| SHA1 | 529a68d19b90f49eeb0275660661734dd0071abc |
| SHA256 | c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b |
| SHA512 | 18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940 |
\Windows\SysWOW64\omsecor.exe
| MD5 | f1edb95fd49dca5ec9f27787fde2ca35 |
| SHA1 | 9aed74099a4475d0f09039aa8da04991ea933972 |
| SHA256 | 989eaee9c21a5909f662b58cc1d8e5b28f75ef7e51de112ea146b82e673f2e29 |
| SHA512 | f9591e35f0be852527ec84916b8f8e3d73bfc3bc299ab300a93cedba9d25ad9bfe80e91fc6f0caffa3252ca2f3609ecd4ea4bf87d862d3ea4fc77fab3a9038f0 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f1ef1ec565e4c04aab8d02e739ae5810 |
| SHA1 | 95493c0911870ce39dda7b1efb5b54088b798a69 |
| SHA256 | b600d3359e0b4de325f454ef121d1636c6504890c35fc33f367b01ff40ac3f99 |
| SHA512 | d5b154f9b04663ca95091bae20a60238ac0a81e7c7b140408092371a26bd9acae550618b0f07a40afe6578340641b38b2c405d49ebac6b9f8d6bb397e999b608 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 13:03
Reported
2024-05-21 13:05
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\50eabd69d43de62a2928c4031c3175c4a34aa4c47811efea5ff7425e149e93b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 540b9b67841d4199b21880644c909be1 |
| SHA1 | 529a68d19b90f49eeb0275660661734dd0071abc |
| SHA256 | c54b077107b28100dc2a5f121e1281d4e04bcc890f8640ae9de01ccdd728f60b |
| SHA512 | 18b9566aa6b9aedfde07b68c76ef6c9e37e73b8b51770cb5fbd246f71143a8f3914b141547e0ad1a450ca4b8314ca58d501a972e01fce9e9fc267169bc0a6940 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 3e1bfe0f7c72511a075545cab89345b0 |
| SHA1 | 5b65d67f85a690b61c4ca35defeda63f46daaac8 |
| SHA256 | 44c581b5b0f1e3be311ecca6fc187dcb703879276f08dfad3d4d9def18a5e99f |
| SHA512 | e0ccd83180044f72e638f39d3ca2eaa8ef3376eaf6684c2a9b3b2257435efaf10ee4662b3043bd10e9a34e5b8e9b2ef940f3fddb90701270f59f9e99cb4ec6c0 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 368fa73dc35e2781c17aa7679b711486 |
| SHA1 | d7cb4c5aaae645a0be50a076c87befb9f2ebda55 |
| SHA256 | 4eefa189f6f7b0b3ef6939cf69407ce2d1bb5c777a84ec19bb74990819b43909 |
| SHA512 | 2178bf487096903507a39dd458ca24f561ebdf74f067f36173a151dc9ea09279d7ad9891942fa2250e352cf77c97ddb44f627e1e12a089a303def6c33c47546a |