Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-y1w4qsfb47
Target 47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe
SHA256 655bed67ebd3fe6a9d0a8cac997143f01f6ebb40a3f42cdfe09181ce740f37eb
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

655bed67ebd3fe6a9d0a8cac997143f01f6ebb40a3f42cdfe09181ce740f37eb

Threat Level: Known bad

The file 47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:15

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:15

Reported

2024-05-22 20:18

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2936 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2936 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2936 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1744 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1744 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1744 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1744 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2684 wrote to memory of 2400 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2400 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2400 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2684 wrote to memory of 2400 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2ae182a5f4d567da02b3331a179dcc43
SHA1 c90989e285c1b380222cd4f2ae3286c2ad83bd8e
SHA256 892f557dd06e717d6c716227f2d4dff327f0b435c0ecf635df6cc14368fd97cd
SHA512 31e53a42fe45290cc0050bb12b14006b92b3b81521eb75b2b4a01d0bee5b1214baaa0ce58f05ac81ff69677a0f05f565a61902ce3af8fa21fe2c7cc8ca44baf4

\Windows\SysWOW64\omsecor.exe

MD5 a756a7ca1a387f50d6109aecc7367f17
SHA1 00a1eba67437f5a2a1f110ee929a14c3ff4f86a5
SHA256 7b4c6ff8b23e9811b28df02284ccb6ecd0a9cc4a02f367be5c78bd8cebb93087
SHA512 118677449513c5ecc87db8475f5412bb7cca08baeca42ad5f96e8140caf8da2d7ca94f1bda41fdbf5b66d8da14c89b0dd7635ab6c0892aa4e3e8775e93f144a5

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 efee2bf31c05b29d121d89f0535ae682
SHA1 055e1520307574276408b54564e58ef18ca2c119
SHA256 40c85ac66d77902ca25d0677d0a62df3eb7efef2fe922e12913efd5669466e6f
SHA512 c2585a85c06432a2c53b0782ac4a6a729a97a0d1680e20b46608901899ac3574efaf470bee49251d3d8b4c03495063bd19091d4df2bf0d262c51080957c28fb3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:15

Reported

2024-05-22 20:18

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\47b9c152024d6f6b65cb6a90b99e4750_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.111.229.48:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2ae182a5f4d567da02b3331a179dcc43
SHA1 c90989e285c1b380222cd4f2ae3286c2ad83bd8e
SHA256 892f557dd06e717d6c716227f2d4dff327f0b435c0ecf635df6cc14368fd97cd
SHA512 31e53a42fe45290cc0050bb12b14006b92b3b81521eb75b2b4a01d0bee5b1214baaa0ce58f05ac81ff69677a0f05f565a61902ce3af8fa21fe2c7cc8ca44baf4

C:\Windows\SysWOW64\omsecor.exe

MD5 0ed815e6adb1c8c83efb6760dc710a23
SHA1 da5b3cc0e57e703400f31a8ef3c518de95aa2a3a
SHA256 3e0f67ef5a957abd8dfdb039cd34b5e0e18cde16ca9823b791653252fba55aef
SHA512 10f5cc491ebdb27993fed5b3272851635d62fb88997bcaed78a7bb5272cb5b0db6c4bb82b461683b62b2e9373f33a12591f089bcaf47a3e445f854771a01184c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 914ce95050c13f3093f266609f8f7935
SHA1 66fb84a241e9502ea934dc69bc9a228a5d3ff998
SHA256 9d8d8a3ae900aadfde4fe63b58ff37de7c3047cad497152cb2cf84c4fb479735
SHA512 e2f7dd3e2661f2521eca087b0c73c9d992d0a344c2bd06793a888fbaaadece6cd401ec6c6f040628eec6af69f25db19dbf538745a0bc74ef6d67c17ea6eb87c1