Malware Analysis Report

2024-11-16 13:01

Sample ID 240522-z1m2hagg8z
Target 3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe
SHA256 9bc93c0c78d2b58b012fea0cf33728f89a2bc3b7f99aafcb2995b967a6cd8fa5
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bc93c0c78d2b58b012fea0cf33728f89a2bc3b7f99aafcb2995b967a6cd8fa5

Threat Level: Known bad

The file 3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:11

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:11

Reported

2024-05-22 21:13

Platform

win7-20240508-en

Max time kernel

121s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 550199fd3bb06381cf3da54e0d4ddd94
SHA1 2b6850274c82bbcd3ff181c1e3c8fea37ebb3ff8
SHA256 e6560406aec2e765ef327395cbf53d5fb53a5d30bacf77a8b169e94eaecaaa0b
SHA512 793f0d7a0601bd23d3a0566fe488945ccdb715842743a0c2b05e59e405aa484634410b92d1d4dee984e3819da653046eca28ff672fe310762a94fd697987b4a3

\Windows\SysWOW64\omsecor.exe

MD5 69a5a0c21584ced36d96ae8b35940725
SHA1 8ff47f597da4fef36df342d03a87143bc938f9be
SHA256 a4736cd599a741581f49fc3f59e9e69881a824598ebdc249b94dac34a3a45d12
SHA512 3c42b3087ffafe3488c7b6c7ca392d7a0a9e46f61f0626161d9f2a6d1718b4dd0bd7989251c850db8f94022ce6a7adc2494d3fb5bd09ee5e5974681cfe72effe

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:11

Reported

2024-05-22 21:13

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.96:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.96:443 www.bing.com tcp
US 8.8.8.8:53 96.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 550199fd3bb06381cf3da54e0d4ddd94
SHA1 2b6850274c82bbcd3ff181c1e3c8fea37ebb3ff8
SHA256 e6560406aec2e765ef327395cbf53d5fb53a5d30bacf77a8b169e94eaecaaa0b
SHA512 793f0d7a0601bd23d3a0566fe488945ccdb715842743a0c2b05e59e405aa484634410b92d1d4dee984e3819da653046eca28ff672fe310762a94fd697987b4a3

C:\Windows\SysWOW64\omsecor.exe

MD5 350381da14860fb34d9dc6e4818b250b
SHA1 1360386001e7c9bf24660bc911428648c04f4da1
SHA256 97cc4af12ab5d6dd32a18c8663372f6b6909051731113fc00247c6c59dec0269
SHA512 a878e059bafdde13e0a89f7e3c412428491a6b9c0b03bfe23e49c853efca179c551558a594bb937c631def812a9e9ad9eea8d68a95eb33d79816763a90aabe27

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4906ae25b1bd16daf1bcbcd7ee097453
SHA1 ceee4062b1f4183ce7a2861e3603162505d33cb0
SHA256 a855e0c6920ce53302f30c90d0a87c763d45f4f0bb0cd9d7806e5038a688febb
SHA512 a9eccff29cea5acb0c83c4f222ff11d375e99abc174e7847ebd12c49d9730180ca0f68ca8cda5b8ae28211bec428313c20d6b2cf4e256921a8e0268b9edf8a15