Malware Analysis Report

2024-11-16 13:00

Sample ID 240521-qpz29afe9s
Target 554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics
SHA256 554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299

Threat Level: Known bad

The file 554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 13:26

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 13:26

Reported

2024-05-21 13:29

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2408 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2408 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3008 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 1924 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bd82948dc53fe897ba3f95ed58d15c91
SHA1 a59209707f1946fd4137c07ab55f56eb569181c9
SHA256 b7d3e9a5dba9f25b5a50dffd09ed34b874a314178968b8ca2f526096e7125b8c
SHA512 4ec70d60e1391759bd49f1e98e6a0d561015eb2363e32abcac4dea552e32a2a526716341581b58ccca718f0ea5e9022f0c8f7da3a6e3a78f7ce55010b82462d7

\Windows\SysWOW64\omsecor.exe

MD5 a749ea8c296562a4da0d3178a5e8a371
SHA1 f568e5ffe3bfc31f7690b07b5eda22df39748d43
SHA256 bdb16a55a2c6cd77625354bde91cd2041e132e0d2d1bb4118e692f0177912d1e
SHA512 4a65ab66309911cf7141ec6450398c1ccee7292da0c2d25ad634a674ed2fb7058ac0b58e045147774c363b5b15843995408a9cea121f8689158289864eb34e23

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c34d794a4bf08fc0e82e7e51405372bc
SHA1 68e0a3cd93eac9c83b0a60d44d3e5a6a2b630151
SHA256 63f647bc555a77374393774c6b626c43b10931d6daeede6d7a846a2468620248
SHA512 bee6fa95d28740a62a155bbe46fdbc63a2fd6f647d3aa06a80ad9edbb10793cc6bf91f8f0ceed021828242fe4068f26f963274d50de8fb3f267d8e113cc4f00f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 13:26

Reported

2024-05-21 13:29

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\554b34972e904d275cdb008ea035a9882ed9cbc1a308cfe6bfd30eea0e497299_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 bd82948dc53fe897ba3f95ed58d15c91
SHA1 a59209707f1946fd4137c07ab55f56eb569181c9
SHA256 b7d3e9a5dba9f25b5a50dffd09ed34b874a314178968b8ca2f526096e7125b8c
SHA512 4ec70d60e1391759bd49f1e98e6a0d561015eb2363e32abcac4dea552e32a2a526716341581b58ccca718f0ea5e9022f0c8f7da3a6e3a78f7ce55010b82462d7

C:\Windows\SysWOW64\omsecor.exe

MD5 47420a29487909aea5059727a786c064
SHA1 2c2df2da5828e6c84c1c4dd74cd32139cf68b360
SHA256 bf0e06b90c07256ecde166062397c87900a6ed55b66fc1b4baeaaf7689253ab2
SHA512 c2059f865394ff4e9a493c7a2267657c967714e7ca1676de3248f120d7442a81e5580b6e7c617ed26352008ac2b75eedad3fa8c050348b6d35a08c09c672cdd3

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 24597e8e8677cfdf17a593734e090383
SHA1 379e1df4bd028e62e44575b6ff7a9d5ed96cf844
SHA256 5ce34a003f846bb39838e1564a65bd6eaaec21ddc88f06d89a8ab9a2b6656da3
SHA512 91fd45b6cc50420bd9edd7e944effb7cb61d691f17026d73b03066e3e5c2ac519ddd1cffb1c4cd6c5db425ae71973c4fd3b0d773626be2afd466541972699ec9