Analysis Overview
SHA256
655bed67ebd3fe6a9d0a8cac997143f01f6ebb40a3f42cdfe09181ce740f37eb
Threat Level: Known bad
The file 47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:15
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:15
Reported
2024-05-22 20:18
Platform
win7-20240221-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ae182a5f4d567da02b3331a179dcc43 |
| SHA1 | c90989e285c1b380222cd4f2ae3286c2ad83bd8e |
| SHA256 | 892f557dd06e717d6c716227f2d4dff327f0b435c0ecf635df6cc14368fd97cd |
| SHA512 | 31e53a42fe45290cc0050bb12b14006b92b3b81521eb75b2b4a01d0bee5b1214baaa0ce58f05ac81ff69677a0f05f565a61902ce3af8fa21fe2c7cc8ca44baf4 |
\Windows\SysWOW64\omsecor.exe
| MD5 | a756a7ca1a387f50d6109aecc7367f17 |
| SHA1 | 00a1eba67437f5a2a1f110ee929a14c3ff4f86a5 |
| SHA256 | 7b4c6ff8b23e9811b28df02284ccb6ecd0a9cc4a02f367be5c78bd8cebb93087 |
| SHA512 | 118677449513c5ecc87db8475f5412bb7cca08baeca42ad5f96e8140caf8da2d7ca94f1bda41fdbf5b66d8da14c89b0dd7635ab6c0892aa4e3e8775e93f144a5 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | efee2bf31c05b29d121d89f0535ae682 |
| SHA1 | 055e1520307574276408b54564e58ef18ca2c119 |
| SHA256 | 40c85ac66d77902ca25d0677d0a62df3eb7efef2fe922e12913efd5669466e6f |
| SHA512 | c2585a85c06432a2c53b0782ac4a6a729a97a0d1680e20b46608901899ac3574efaf470bee49251d3d8b4c03495063bd19091d4df2bf0d262c51080957c28fb3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:15
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.111.229.48:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ae182a5f4d567da02b3331a179dcc43 |
| SHA1 | c90989e285c1b380222cd4f2ae3286c2ad83bd8e |
| SHA256 | 892f557dd06e717d6c716227f2d4dff327f0b435c0ecf635df6cc14368fd97cd |
| SHA512 | 31e53a42fe45290cc0050bb12b14006b92b3b81521eb75b2b4a01d0bee5b1214baaa0ce58f05ac81ff69677a0f05f565a61902ce3af8fa21fe2c7cc8ca44baf4 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 0ed815e6adb1c8c83efb6760dc710a23 |
| SHA1 | da5b3cc0e57e703400f31a8ef3c518de95aa2a3a |
| SHA256 | 3e0f67ef5a957abd8dfdb039cd34b5e0e18cde16ca9823b791653252fba55aef |
| SHA512 | 10f5cc491ebdb27993fed5b3272851635d62fb88997bcaed78a7bb5272cb5b0db6c4bb82b461683b62b2e9373f33a12591f089bcaf47a3e445f854771a01184c |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 914ce95050c13f3093f266609f8f7935 |
| SHA1 | 66fb84a241e9502ea934dc69bc9a228a5d3ff998 |
| SHA256 | 9d8d8a3ae900aadfde4fe63b58ff37de7c3047cad497152cb2cf84c4fb479735 |
| SHA512 | e2f7dd3e2661f2521eca087b0c73c9d992d0a344c2bd06793a888fbaaadece6cd401ec6c6f040628eec6af69f25db19dbf538745a0bc74ef6d67c17ea6eb87c1 |