Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-28e2zacg29
Target 54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe
SHA256 e36f3fa13bacf3f882dc60a92934947c22955d55fc629cce4e51bd32fdeae521
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e36f3fa13bacf3f882dc60a92934947c22955d55fc629cce4e51bd32fdeae521

Threat Level: Known bad

The file 54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 23:14

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 23:14

Reported

2024-05-22 23:17

Platform

win7-20240221-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2112 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1352 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1352 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1352 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1352 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2896 wrote to memory of 1040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2896 wrote to memory of 1040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2896 wrote to memory of 1040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2896 wrote to memory of 1040 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3d6effab3d917dc1cf40c7201e95621a
SHA1 bee3829081257cef1936f9f753afe66d2b37dec0
SHA256 7ee4d301b6f54421e2a896e74ee6cf66f010bdebfd250b9376f977ba6aa3945f
SHA512 25c1b4bf0da7389a5acbba5cba77f808a1a540b1160bb75f3b361bed77a1c5518bf43af7f4bb05aeafa1950545a99c7d5cd344f3b5c81140c99307010ba256da

\Windows\SysWOW64\omsecor.exe

MD5 508e1782f3701b19d1af8f0a02f7e31d
SHA1 30f2a84602aeb2959e7ca2ac9c2fc2697859b8d8
SHA256 e3e47b97c94a4b1347e6bc18d99683488628e0c4b6dd5deb319e39cc58ea485e
SHA512 fc9e06b27d67b525f81af3f58386a689fa1bb10db8d782301b5b6bab7fbe5baa4e542a9d12969cbc458b6b951efd07349980f02c099b3c14bc1247533369b515

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 500d26988810f0980c11a16fba1dbb8b
SHA1 b5851fc42761b9c9cff01a8f895d830f99e0ad24
SHA256 cd0d704f086dabee9ee4fc908b6c9bf769d9a42fb9ea66a6eca1a49e31d8b467
SHA512 326f42dec0e42ddf4012e177497107eecd781fff1be7f637a1719122c8c07c443bc1cc882881a62a0cf9f639d7c8b19fa96e2b4c76a013f0536fb3c5486d7e7e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 23:14

Reported

2024-05-22 23:17

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\54d12aa1345027e922e2eb7e2a4d8790_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3d6effab3d917dc1cf40c7201e95621a
SHA1 bee3829081257cef1936f9f753afe66d2b37dec0
SHA256 7ee4d301b6f54421e2a896e74ee6cf66f010bdebfd250b9376f977ba6aa3945f
SHA512 25c1b4bf0da7389a5acbba5cba77f808a1a540b1160bb75f3b361bed77a1c5518bf43af7f4bb05aeafa1950545a99c7d5cd344f3b5c81140c99307010ba256da

C:\Windows\SysWOW64\omsecor.exe

MD5 8118261ba50ea58680bb53b8ffc210b8
SHA1 3792d9097a02dcc0df8ea7402a008f8db16cb193
SHA256 ca9e21177872fb41246ba183c01465a441fc785720ccfdaf23710e91280a1d63
SHA512 2ce0a3c23fa0057a8e53c48b9572f40851ad76a3bef425c2016669ff682ad9ef72443fe053f1f2361c1d46bab5403086fefcaf4b55cc53ffa0d90ccc6967f6d2

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 993864cc9b836a0e43be3ac8c91bae02
SHA1 2428f77944dbc72d0328a945f08ba359c3de94b2
SHA256 cb97c5af2b644a51e358523f0c921a488413744f7c383a75a7776b0e7eed6c70
SHA512 02be59890caf77fa5ac07da0f789008caaf5194b229a6502667b120815854469b277ba348c022cb6be887fa294b032780e80e5c24447d7cbce3f95350c3ab2f0