Analysis Overview
SHA256
9bc93c0c78d2b58b012fea0cf33728f89a2bc3b7f99aafcb2995b967a6cd8fa5
Threat Level: Known bad
The file 3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:11
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:11
Reported
2024-05-22 21:13
Platform
win7-20240508-en
Max time kernel
121s
Max time network
131s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 550199fd3bb06381cf3da54e0d4ddd94 |
| SHA1 | 2b6850274c82bbcd3ff181c1e3c8fea37ebb3ff8 |
| SHA256 | e6560406aec2e765ef327395cbf53d5fb53a5d30bacf77a8b169e94eaecaaa0b |
| SHA512 | 793f0d7a0601bd23d3a0566fe488945ccdb715842743a0c2b05e59e405aa484634410b92d1d4dee984e3819da653046eca28ff672fe310762a94fd697987b4a3 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 69a5a0c21584ced36d96ae8b35940725 |
| SHA1 | 8ff47f597da4fef36df342d03a87143bc938f9be |
| SHA256 | a4736cd599a741581f49fc3f59e9e69881a824598ebdc249b94dac34a3a45d12 |
| SHA512 | 3c42b3087ffafe3488c7b6c7ca392d7a0a9e46f61f0626161d9f2a6d1718b4dd0bd7989251c850db8f94022ce6a7adc2494d3fb5bd09ee5e5974681cfe72effe |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:11
Reported
2024-05-22 21:13
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
138s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3cabff9fdcec881f7e604cc5eef92d20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| NL | 23.62.61.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 96.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 550199fd3bb06381cf3da54e0d4ddd94 |
| SHA1 | 2b6850274c82bbcd3ff181c1e3c8fea37ebb3ff8 |
| SHA256 | e6560406aec2e765ef327395cbf53d5fb53a5d30bacf77a8b169e94eaecaaa0b |
| SHA512 | 793f0d7a0601bd23d3a0566fe488945ccdb715842743a0c2b05e59e405aa484634410b92d1d4dee984e3819da653046eca28ff672fe310762a94fd697987b4a3 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 350381da14860fb34d9dc6e4818b250b |
| SHA1 | 1360386001e7c9bf24660bc911428648c04f4da1 |
| SHA256 | 97cc4af12ab5d6dd32a18c8663372f6b6909051731113fc00247c6c59dec0269 |
| SHA512 | a878e059bafdde13e0a89f7e3c412428491a6b9c0b03bfe23e49c853efca179c551558a594bb937c631def812a9e9ad9eea8d68a95eb33d79816763a90aabe27 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4906ae25b1bd16daf1bcbcd7ee097453 |
| SHA1 | ceee4062b1f4183ce7a2861e3603162505d33cb0 |
| SHA256 | a855e0c6920ce53302f30c90d0a87c763d45f4f0bb0cd9d7806e5038a688febb |
| SHA512 | a9eccff29cea5acb0c83c4f222ff11d375e99abc174e7847ebd12c49d9730180ca0f68ca8cda5b8ae28211bec428313c20d6b2cf4e256921a8e0268b9edf8a15 |