Analysis Overview
SHA256
327fdaee5209f50e7612cc936993700416eb241d3a2888d2746bd9ff86180d10
Threat Level: Known bad
The file 16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 03:48
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 03:48
Reported
2024-05-22 03:51
Platform
win7-20240220-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ae8c8f771932553f9a2a2c5807cdbb5 |
| SHA1 | 1b91bfe2d79ef26dd7e85b309b55264a879552da |
| SHA256 | e2d1accf00e0f48979f3dc397f4aee24ab91df28b227f7d81f58f5b546e3f254 |
| SHA512 | 410a6cda90cec47bfdf792e5a1723da6f0d9597961bac4450ee83efcc6eb3de438a33f9d28e3e1f18f71dd1fc8ac14356b889b6f3f9e3c9c2b760f4abf76bd85 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 350f3df642fa3386390d7f4678365ced |
| SHA1 | 29937231280a0f9adfba0010b73bbb8462ee0762 |
| SHA256 | a3118d3839a332e1e8e94273e5b48467fc77bbd6d6fd0450c6d9e3bd843493f9 |
| SHA512 | 76f0e6c2647ed82f5da4166935d4516e3e42b92b62ca085e97414af2fe6365e9b592f7aebe533d336bf144dfed4569575f42567229c6910d37b9bc643fe6310f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cfdb22f056da184f81c773b0581a1e73 |
| SHA1 | c28f2c9956b99a0d8895a4882535134e1cd5cf6b |
| SHA256 | 5fa6628e46644bfaaf59799ac602d240fdadf34e804e9fc12b0ef472762e9725 |
| SHA512 | 35b98d60f85065eb693b87e02726792758c5a95429e5e2baedf89a4e81681d82c4bff8ba89471394f29554c9c4b13d0f776c69c4b69b8e781489c43fcd1d3443 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 03:48
Reported
2024-05-22 03:51
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\16ea67cd322a3192fba2492d5a681b50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ae8c8f771932553f9a2a2c5807cdbb5 |
| SHA1 | 1b91bfe2d79ef26dd7e85b309b55264a879552da |
| SHA256 | e2d1accf00e0f48979f3dc397f4aee24ab91df28b227f7d81f58f5b546e3f254 |
| SHA512 | 410a6cda90cec47bfdf792e5a1723da6f0d9597961bac4450ee83efcc6eb3de438a33f9d28e3e1f18f71dd1fc8ac14356b889b6f3f9e3c9c2b760f4abf76bd85 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 9ba4e839e154ea8e530b2f63d3d05579 |
| SHA1 | 383eb8b6d731a57dad577159f2b486f9a02d65c8 |
| SHA256 | dc6fb781e59bae2f49fe7db4312af5ca443b37fbef0032cc72d1a6215d6a33f4 |
| SHA512 | c9bab727d7414048eadffb60e2b17fd6d72b198529e3451e6030da48ee03977d4aac04ef351d9343082383ccb5148cae2995b5f1ac31e8f5cd767a9a0cb25845 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b7bf4f3a1274384cf43f56a36a90d1ba |
| SHA1 | 0d67c9de69241056a0f404226ab0d9258f64f60e |
| SHA256 | d16bbbbe1a8e54988e6a489b43230ad52852a728992373806061e595e687b516 |
| SHA512 | 6b2799632ac00267ed7916762fff1c080992d60eabac186757e630d49f06b37d3ae04b926a14b5a7b817836cbe2f8fb4cdc3d1ecb7cce74ab176c616739874b2 |