Malware Analysis Report

2024-11-16 13:01

Sample ID 240523-2yecpace56
Target 9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe
SHA256 0df56488de92f29591bd70f0b582a6990faaf1e7709d16e82cdef40825bdc858
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0df56488de92f29591bd70f0b582a6990faaf1e7709d16e82cdef40825bdc858

Threat Level: Known bad

The file 9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 22:59

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 22:59

Reported

2024-05-23 23:01

Platform

win7-20231129-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2232 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2992 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2992 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1968 wrote to memory of 1548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 1548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 1548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 1548 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2232-1-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 cdbce4523e9cb217f20dbec45fb29d16
SHA1 1b1e2bd508854fc89d2da255cfe47a6355a48525
SHA256 ee370d0bc9369f2fb433cdba4dcdf075af80d3087e051c9762902f9709c7ef86
SHA512 462ccc622de2948fbfc4f42041019bf676e0bb709b60b18906658f0656d38703cc58a5212d093000796a9f8dadca2c29466e1f2b19ce79fec60b1b36533d0a3e

memory/2232-4-0x00000000003C0000-0x00000000003ED000-memory.dmp

memory/2232-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2992-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2992-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2992-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2992-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2992-23-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 475b4aacfe329a40a616756c1fede027
SHA1 164dd80a0acb4b961f6689afe639133b7de296d9
SHA256 77c5a83a755880333d64d4f8c6bed3d59496bbb0f71f4334ea3ec1cdaa7d95ad
SHA512 61801b452e259b7c0b3604340fa39edb3ed8841b0ac8098a2477244741b393ebbe4ff130370e9579fd5025c500a511d4ff31c755cef7267e034010d1cf755c0f

memory/2992-26-0x0000000000390000-0x00000000003BD000-memory.dmp

memory/2992-33-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1968-37-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 22849188d47027aacdadd599d5e86141
SHA1 13076446d2499188dee464efa94030b344cc1f52
SHA256 40c4be542f6cc232e4665f6fe0af68d6adf5d5fcd344c242c64a30c76ec785b7
SHA512 71282f00c69f76a535b9b8392b2f9fe668be8d03b0dc8f794cba591629ba37119b8a84c2772e5f9fcd4ddca960a0af008eb7d12ac88b45d3ed643f3c64713676

memory/1548-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1548-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1548-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 22:59

Reported

2024-05-23 23:01

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ed5dde655f915c829c5316d33f3b8f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 24.125.209.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp

Files

memory/4940-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 cdbce4523e9cb217f20dbec45fb29d16
SHA1 1b1e2bd508854fc89d2da255cfe47a6355a48525
SHA256 ee370d0bc9369f2fb433cdba4dcdf075af80d3087e051c9762902f9709c7ef86
SHA512 462ccc622de2948fbfc4f42041019bf676e0bb709b60b18906658f0656d38703cc58a5212d093000796a9f8dadca2c29466e1f2b19ce79fec60b1b36533d0a3e

memory/4940-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4832-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 78f1de2dbdfd90691978cdcec9faf675
SHA1 ce490330fd7619d444cf451441f5874254da2206
SHA256 49472ce9eed544890c17c61c13ca6423ff99f65a4cecfd0a8a614c5ed297ae87
SHA512 8bfe71b9208f7f8d8ec6ffe5c22f81d6aa1f4aba8e1f7ddd3a57930bf65e4d665e8a3b76009e4a68f3a254bdfb788bb88eb4441d3d698060c25a59477d131971

memory/2108-21-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f65e94b2edfdf0d4b46bebd69ff61227
SHA1 b02e08e0f23cff65eef1002d5604c8803aacdfea
SHA256 cd30822a47fcd1494ab3e5d3ee1545b44465e67274fdb1821731dbc3b9727ce3
SHA512 068ce891da76cb92379e04ff4d9b958b2d1d78d0384d1c3ac5ea471ee75b74b0bdc4ff463917535eae7729b4a41fb5cd5079f4adc4acf13e0f7283c9d70a5757

memory/2108-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4428-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4428-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4428-33-0x0000000000400000-0x000000000042D000-memory.dmp