Analysis Overview
SHA256
e36f3fa13bacf3f882dc60a92934947c22955d55fc629cce4e51bd32fdeae521
Threat Level: Known bad
The file 54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 23:14
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 23:14
Reported
2024-05-22 23:17
Platform
win7-20240221-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3d6effab3d917dc1cf40c7201e95621a |
| SHA1 | bee3829081257cef1936f9f753afe66d2b37dec0 |
| SHA256 | 7ee4d301b6f54421e2a896e74ee6cf66f010bdebfd250b9376f977ba6aa3945f |
| SHA512 | 25c1b4bf0da7389a5acbba5cba77f808a1a540b1160bb75f3b361bed77a1c5518bf43af7f4bb05aeafa1950545a99c7d5cd344f3b5c81140c99307010ba256da |
\Windows\SysWOW64\omsecor.exe
| MD5 | 508e1782f3701b19d1af8f0a02f7e31d |
| SHA1 | 30f2a84602aeb2959e7ca2ac9c2fc2697859b8d8 |
| SHA256 | e3e47b97c94a4b1347e6bc18d99683488628e0c4b6dd5deb319e39cc58ea485e |
| SHA512 | fc9e06b27d67b525f81af3f58386a689fa1bb10db8d782301b5b6bab7fbe5baa4e542a9d12969cbc458b6b951efd07349980f02c099b3c14bc1247533369b515 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 500d26988810f0980c11a16fba1dbb8b |
| SHA1 | b5851fc42761b9c9cff01a8f895d830f99e0ad24 |
| SHA256 | cd0d704f086dabee9ee4fc908b6c9bf769d9a42fb9ea66a6eca1a49e31d8b467 |
| SHA512 | 326f42dec0e42ddf4012e177497107eecd781fff1be7f637a1719122c8c07c443bc1cc882881a62a0cf9f639d7c8b19fa96e2b4c76a013f0536fb3c5486d7e7e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 23:14
Reported
2024-05-22 23:17
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3d6effab3d917dc1cf40c7201e95621a |
| SHA1 | bee3829081257cef1936f9f753afe66d2b37dec0 |
| SHA256 | 7ee4d301b6f54421e2a896e74ee6cf66f010bdebfd250b9376f977ba6aa3945f |
| SHA512 | 25c1b4bf0da7389a5acbba5cba77f808a1a540b1160bb75f3b361bed77a1c5518bf43af7f4bb05aeafa1950545a99c7d5cd344f3b5c81140c99307010ba256da |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 8118261ba50ea58680bb53b8ffc210b8 |
| SHA1 | 3792d9097a02dcc0df8ea7402a008f8db16cb193 |
| SHA256 | ca9e21177872fb41246ba183c01465a441fc785720ccfdaf23710e91280a1d63 |
| SHA512 | 2ce0a3c23fa0057a8e53c48b9572f40851ad76a3bef425c2016669ff682ad9ef72443fe053f1f2361c1d46bab5403086fefcaf4b55cc53ffa0d90ccc6967f6d2 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 993864cc9b836a0e43be3ac8c91bae02 |
| SHA1 | 2428f77944dbc72d0328a945f08ba359c3de94b2 |
| SHA256 | cb97c5af2b644a51e358523f0c921a488413744f7c383a75a7776b0e7eed6c70 |
| SHA512 | 02be59890caf77fa5ac07da0f789008caaf5194b229a6502667b120815854469b277ba348c022cb6be887fa294b032780e80e5c24447d7cbce3f95350c3ab2f0 |