Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-y31vpsfc36
Target 1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe
SHA256 2c7f34d4ce9ac0f9d04fd7bca50d05e15ed62afcd446fba2f4e0cbd9441fb529
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c7f34d4ce9ac0f9d04fd7bca50d05e15ed62afcd446fba2f4e0cbd9441fb529

Threat Level: Known bad

The file 1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:19

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:19

Reported

2024-05-22 20:22

Platform

win7-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1500 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1500 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1500 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2888 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2888 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2888 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2888 wrote to memory of 928 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 928 wrote to memory of 2636 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 928 wrote to memory of 2636 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 928 wrote to memory of 2636 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 928 wrote to memory of 2636 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5945aa58a7781fed88f3f3e309a7616e
SHA1 4b8fea6ac67e289ecb1736939916c9b4e7b7512b
SHA256 294b8d3062ec768e328932a1a29165b7079847e99c49b8be30fdf2e9acbe2f93
SHA512 395dc6329aec2913a1ecdeb8727c2cdac364e61f7008685981fda108bd1ff5e219dd3d2e5aa86a7047f4b4a21eb562b84ca77a2f6648fca52633429b14ff5cb2

\Windows\SysWOW64\omsecor.exe

MD5 0d13e6e4e8fae14c88467777dce382c1
SHA1 c626c86bf373130e9e45c581ef1f2479a3f4d094
SHA256 ab718396d2a583f5cde9e271bb34f0c64a32662a1c788d5104d548bbaf010100
SHA512 1a407b7e638ac96a79c93e96d743bcfdecc3c755ac6e9c9a19733ee3a19d82d96ab9b3479fccdaee2457ee9504d26e081ef28e2add7e1c1cbf060d7f466ed7f4

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f58ed11a8b31b8c6081dbbedfea695ee
SHA1 61b9f3bd838b13fef9e94fcb92e1f8b3e1963a5a
SHA256 be08e624989c4654866ee32afaf0a32fea161449811fe0dd575d036c31618926
SHA512 aa16f09c5cebe85d8d96c7c79955cfcff52ea548ecf5dce9edbae65561fdc1999ce94c878db4108fdffc006edd5730a42218f3bccb7634a2296ef80f4004a204

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:19

Reported

2024-05-22 20:21

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5945aa58a7781fed88f3f3e309a7616e
SHA1 4b8fea6ac67e289ecb1736939916c9b4e7b7512b
SHA256 294b8d3062ec768e328932a1a29165b7079847e99c49b8be30fdf2e9acbe2f93
SHA512 395dc6329aec2913a1ecdeb8727c2cdac364e61f7008685981fda108bd1ff5e219dd3d2e5aa86a7047f4b4a21eb562b84ca77a2f6648fca52633429b14ff5cb2

C:\Windows\SysWOW64\omsecor.exe

MD5 7da11d87323326f8bd9641d672c40ed0
SHA1 f49575a93374b5c470a73411421edb132d89fa49
SHA256 88dc94d4a6321f2c8c5bef945cb0ae3c37168ef5be5a034892757ccae7d2db74
SHA512 a538ecfe92fe5be524a0c4238869c8ded1b801058bfc05ca559a41fd48d4b194a20bea10c24031c7b30bb775e4718bdb1610ccc69744e40b116c47c0ba7b2662

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f0eb037299fab66ec4aa03364bf1fb41
SHA1 7ea230d9f4dad9b45d7b4d4686b853137aaf2dbf
SHA256 802629ce20ecb5a3681813ba7d4f8e1ad7254dd8227ca76edd5040905f79a216
SHA512 f3c896cb988a7155e17ec00e0438c340b8b03050063fc57676fa2fb3517f8cb50839dce5e3bd980486f72476c045477c845faae9ba6b32137c22bbd504eddb67