Analysis Overview
SHA256
366d37bb62332ade639e36198850a3cb0598115fb45fb602c4707066d5021cd2
Threat Level: Known bad
The file 4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 22:36
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 22:36
Reported
2024-05-22 22:39
Platform
win7-20240221-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4d0c3350d3d40ef785d20f1adf1f919e |
| SHA1 | bcdd56193b9db85253df8dd421a2fd34c8687d72 |
| SHA256 | 7a1da6cf5194750c3d16d87238493ab4675db6cff194d5fb9c76451c39da2f8f |
| SHA512 | ffb5a4313882f7161d166cafb76193b07658b3e63635753d57d5fb50f9af8d49aa592c6b0cb510381fdbe54b8bc2590ad58a99ab2fbc6e3fdea05123f121bfaf |
\Windows\SysWOW64\omsecor.exe
| MD5 | 8460946f8b808d4ceaeb38b926eb81bb |
| SHA1 | 56457330fb8e25c8a3fe564f4dd4f2811ea97703 |
| SHA256 | ff2582b2d9f511c1fcf844a12fc4e32bc4531d9bcbd462df703c94a8dbfce0dd |
| SHA512 | 5311a14540d4201f164c249c6037433b3f2651bcfd915eb427ce6c2c67447257d02718ee709b144a9a38a92fbe3c5c7d5829c4b86c23e12e2b0335ce41acd67e |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b43c5286aed93642901c2b218c5e8609 |
| SHA1 | c449d9a1f04ca6b0c3dce34546b2426668751eba |
| SHA256 | f13a1495f0feaa06634a94f0168c3004b3294867b8a8ed6b707c813c19485235 |
| SHA512 | 0230845e1467830aae26e2f5faea9933db763bebbcfae015723070a34ffe351935458f6b8b36c03d33f9b7e01e4900b4b81eedab4c291ecb081233542db9580e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 22:36
Reported
2024-05-22 22:39
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4d0c3350d3d40ef785d20f1adf1f919e |
| SHA1 | bcdd56193b9db85253df8dd421a2fd34c8687d72 |
| SHA256 | 7a1da6cf5194750c3d16d87238493ab4675db6cff194d5fb9c76451c39da2f8f |
| SHA512 | ffb5a4313882f7161d166cafb76193b07658b3e63635753d57d5fb50f9af8d49aa592c6b0cb510381fdbe54b8bc2590ad58a99ab2fbc6e3fdea05123f121bfaf |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 249fe9d80fab000d2a885eaabaebecae |
| SHA1 | 434415ba5959d5e234a636ea96bba3d81232dabe |
| SHA256 | e7973b783f04bd5b2b17d686d5e57dbb8aa340f37c0a2a9062853c5efed8e40f |
| SHA512 | b0cb2dfababd330c88bca3124d4574cc98cdee5a74cea09d37abb88ac4c0c944957ae98583df81cc9fd75ca7f401603e6d170c643e4a1519dff923f4ccdaad60 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 03aa5772be862c14f0ab990321826cb5 |
| SHA1 | 10409db562f031d261365030eedf4c26ef494a3a |
| SHA256 | 895f6fd5f4a6b180e7785b55e0b6ab26298c72906cd7d4a9f133189c74823519 |
| SHA512 | e57877ca2c303af13f788d8dca6b1b333cd85ced15d5c15f386a4505bb3238edd3901e4d9374102c36c6655a46265c7ae37d433654c751e691ea9dac0628e2d5 |