Analysis Overview
SHA256
554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299
Threat Level: Known bad
The file 554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-21 13:26
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 13:26
Reported
2024-05-21 13:29
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bd82948dc53fe897ba3f95ed58d15c91 |
| SHA1 | a59209707f1946fd4137c07ab55f56eb569181c9 |
| SHA256 | b7d3e9a5dba9f25b5a50dffd09ed34b874a314178968b8ca2f526096e7125b8c |
| SHA512 | 4ec70d60e1391759bd49f1e98e6a0d561015eb2363e32abcac4dea552e32a2a526716341581b58ccca718f0ea5e9022f0c8f7da3a6e3a78f7ce55010b82462d7 |
\Windows\SysWOW64\omsecor.exe
| MD5 | a749ea8c296562a4da0d3178a5e8a371 |
| SHA1 | f568e5ffe3bfc31f7690b07b5eda22df39748d43 |
| SHA256 | bdb16a55a2c6cd77625354bde91cd2041e132e0d2d1bb4118e692f0177912d1e |
| SHA512 | 4a65ab66309911cf7141ec6450398c1ccee7292da0c2d25ad634a674ed2fb7058ac0b58e045147774c363b5b15843995408a9cea121f8689158289864eb34e23 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c34d794a4bf08fc0e82e7e51405372bc |
| SHA1 | 68e0a3cd93eac9c83b0a60d44d3e5a6a2b630151 |
| SHA256 | 63f647bc555a77374393774c6b626c43b10931d6daeede6d7a846a2468620248 |
| SHA512 | bee6fa95d28740a62a155bbe46fdbc63a2fd6f647d3aa06a80ad9edbb10793cc6bf91f8f0ceed021828242fe4068f26f963274d50de8fb3f267d8e113cc4f00f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 13:26
Reported
2024-05-21 13:29
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bd82948dc53fe897ba3f95ed58d15c91 |
| SHA1 | a59209707f1946fd4137c07ab55f56eb569181c9 |
| SHA256 | b7d3e9a5dba9f25b5a50dffd09ed34b874a314178968b8ca2f526096e7125b8c |
| SHA512 | 4ec70d60e1391759bd49f1e98e6a0d561015eb2363e32abcac4dea552e32a2a526716341581b58ccca718f0ea5e9022f0c8f7da3a6e3a78f7ce55010b82462d7 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 47420a29487909aea5059727a786c064 |
| SHA1 | 2c2df2da5828e6c84c1c4dd74cd32139cf68b360 |
| SHA256 | bf0e06b90c07256ecde166062397c87900a6ed55b66fc1b4baeaaf7689253ab2 |
| SHA512 | c2059f865394ff4e9a493c7a2267657c967714e7ca1676de3248f120d7442a81e5580b6e7c617ed26352008ac2b75eedad3fa8c050348b6d35a08c09c672cdd3 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 24597e8e8677cfdf17a593734e090383 |
| SHA1 | 379e1df4bd028e62e44575b6ff7a9d5ed96cf844 |
| SHA256 | 5ce34a003f846bb39838e1564a65bd6eaaec21ddc88f06d89a8ab9a2b6656da3 |
| SHA512 | 91fd45b6cc50420bd9edd7e944effb7cb61d691f17026d73b03066e3e5c2ac519ddd1cffb1c4cd6c5db425ae71973c4fd3b0d773626be2afd466541972699ec9 |