Analysis Overview
SHA256
2c7f34d4ce9ac0f9d04fd7bca50d05e15ed62afcd446fba2f4e0cbd9441fb529
Threat Level: Known bad
The file 1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:19
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:19
Reported
2024-05-22 20:22
Platform
win7-20240221-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5945aa58a7781fed88f3f3e309a7616e |
| SHA1 | 4b8fea6ac67e289ecb1736939916c9b4e7b7512b |
| SHA256 | 294b8d3062ec768e328932a1a29165b7079847e99c49b8be30fdf2e9acbe2f93 |
| SHA512 | 395dc6329aec2913a1ecdeb8727c2cdac364e61f7008685981fda108bd1ff5e219dd3d2e5aa86a7047f4b4a21eb562b84ca77a2f6648fca52633429b14ff5cb2 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 0d13e6e4e8fae14c88467777dce382c1 |
| SHA1 | c626c86bf373130e9e45c581ef1f2479a3f4d094 |
| SHA256 | ab718396d2a583f5cde9e271bb34f0c64a32662a1c788d5104d548bbaf010100 |
| SHA512 | 1a407b7e638ac96a79c93e96d743bcfdecc3c755ac6e9c9a19733ee3a19d82d96ab9b3479fccdaee2457ee9504d26e081ef28e2add7e1c1cbf060d7f466ed7f4 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f58ed11a8b31b8c6081dbbedfea695ee |
| SHA1 | 61b9f3bd838b13fef9e94fcb92e1f8b3e1963a5a |
| SHA256 | be08e624989c4654866ee32afaf0a32fea161449811fe0dd575d036c31618926 |
| SHA512 | aa16f09c5cebe85d8d96c7c79955cfcff52ea548ecf5dce9edbae65561fdc1999ce94c878db4108fdffc006edd5730a42218f3bccb7634a2296ef80f4004a204 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:19
Reported
2024-05-22 20:21
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b8c29c6b577ac6859a05a89c7c948b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5945aa58a7781fed88f3f3e309a7616e |
| SHA1 | 4b8fea6ac67e289ecb1736939916c9b4e7b7512b |
| SHA256 | 294b8d3062ec768e328932a1a29165b7079847e99c49b8be30fdf2e9acbe2f93 |
| SHA512 | 395dc6329aec2913a1ecdeb8727c2cdac364e61f7008685981fda108bd1ff5e219dd3d2e5aa86a7047f4b4a21eb562b84ca77a2f6648fca52633429b14ff5cb2 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7da11d87323326f8bd9641d672c40ed0 |
| SHA1 | f49575a93374b5c470a73411421edb132d89fa49 |
| SHA256 | 88dc94d4a6321f2c8c5bef945cb0ae3c37168ef5be5a034892757ccae7d2db74 |
| SHA512 | a538ecfe92fe5be524a0c4238869c8ded1b801058bfc05ca559a41fd48d4b194a20bea10c24031c7b30bb775e4718bdb1610ccc69744e40b116c47c0ba7b2662 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f0eb037299fab66ec4aa03364bf1fb41 |
| SHA1 | 7ea230d9f4dad9b45d7b4d4686b853137aaf2dbf |
| SHA256 | 802629ce20ecb5a3681813ba7d4f8e1ad7254dd8227ca76edd5040905f79a216 |
| SHA512 | f3c896cb988a7155e17ec00e0438c340b8b03050063fc57676fa2fb3517f8cb50839dce5e3bd980486f72476c045477c845faae9ba6b32137c22bbd504eddb67 |