Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-2jfl7sbe8v
Target 4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe
SHA256 366d37bb62332ade639e36198850a3cb0598115fb45fb602c4707066d5021cd2
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

366d37bb62332ade639e36198850a3cb0598115fb45fb602c4707066d5021cd2

Threat Level: Known bad

The file 4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 22:36

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 22:36

Reported

2024-05-22 22:39

Platform

win7-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1688 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2224 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2224 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2224 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2224 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1216 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1216 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1216 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1216 wrote to memory of 2684 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4d0c3350d3d40ef785d20f1adf1f919e
SHA1 bcdd56193b9db85253df8dd421a2fd34c8687d72
SHA256 7a1da6cf5194750c3d16d87238493ab4675db6cff194d5fb9c76451c39da2f8f
SHA512 ffb5a4313882f7161d166cafb76193b07658b3e63635753d57d5fb50f9af8d49aa592c6b0cb510381fdbe54b8bc2590ad58a99ab2fbc6e3fdea05123f121bfaf

\Windows\SysWOW64\omsecor.exe

MD5 8460946f8b808d4ceaeb38b926eb81bb
SHA1 56457330fb8e25c8a3fe564f4dd4f2811ea97703
SHA256 ff2582b2d9f511c1fcf844a12fc4e32bc4531d9bcbd462df703c94a8dbfce0dd
SHA512 5311a14540d4201f164c249c6037433b3f2651bcfd915eb427ce6c2c67447257d02718ee709b144a9a38a92fbe3c5c7d5829c4b86c23e12e2b0335ce41acd67e

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b43c5286aed93642901c2b218c5e8609
SHA1 c449d9a1f04ca6b0c3dce34546b2426668751eba
SHA256 f13a1495f0feaa06634a94f0168c3004b3294867b8a8ed6b707c813c19485235
SHA512 0230845e1467830aae26e2f5faea9933db763bebbcfae015723070a34ffe351935458f6b8b36c03d33f9b7e01e4900b4b81eedab4c291ecb081233542db9580e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 22:36

Reported

2024-05-22 22:39

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4db0117ad8cfc5fd64f7d4272f420da0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4d0c3350d3d40ef785d20f1adf1f919e
SHA1 bcdd56193b9db85253df8dd421a2fd34c8687d72
SHA256 7a1da6cf5194750c3d16d87238493ab4675db6cff194d5fb9c76451c39da2f8f
SHA512 ffb5a4313882f7161d166cafb76193b07658b3e63635753d57d5fb50f9af8d49aa592c6b0cb510381fdbe54b8bc2590ad58a99ab2fbc6e3fdea05123f121bfaf

C:\Windows\SysWOW64\omsecor.exe

MD5 249fe9d80fab000d2a885eaabaebecae
SHA1 434415ba5959d5e234a636ea96bba3d81232dabe
SHA256 e7973b783f04bd5b2b17d686d5e57dbb8aa340f37c0a2a9062853c5efed8e40f
SHA512 b0cb2dfababd330c88bca3124d4574cc98cdee5a74cea09d37abb88ac4c0c944957ae98583df81cc9fd75ca7f401603e6d170c643e4a1519dff923f4ccdaad60

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 03aa5772be862c14f0ab990321826cb5
SHA1 10409db562f031d261365030eedf4c26ef494a3a
SHA256 895f6fd5f4a6b180e7785b55e0b6ab26298c72906cd7d4a9f133189c74823519
SHA512 e57877ca2c303af13f788d8dca6b1b333cd85ced15d5c15f386a4505bb3238edd3901e4d9374102c36c6655a46265c7ae37d433654c751e691ea9dac0628e2d5