Analysis Overview
SHA256
e68c40371975dd0c13314b7e51ae4a64738a5f77c4ddf9709194cb94b4b6ed85
Threat Level: Known bad
The file 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 00:38
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 00:38
Reported
2024-05-23 00:41
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b8c56e0fdc4837f16918af417eac64b9 |
| SHA1 | 724db549af5582a3704fa3f9e8dcebc6151503da |
| SHA256 | 4c70e245e85212c4c1b5952d97ec84c1df7354a1d69b98911f57feefc08f26d3 |
| SHA512 | 37aaf2379fe9271ba9a250e28b4ff28efd8f02c8150531e901b8319f4290e6e297db7c85a742cab954b6009a2349e797d8ede05b2657632c6042d727a042658d |
\Windows\SysWOW64\omsecor.exe
| MD5 | fc260a8fef7306b4614b0bd4168e8f17 |
| SHA1 | 23c37f25cb4dc0db788cb3eb0a251e0bbd05efad |
| SHA256 | ba317091c63cca3c624e274ecee87cae26144d43868d512782fd33f4fb044b46 |
| SHA512 | a6fbdec9b8f25810cc35667a02d1f5ec1c72d3c37e3c8445fcdce4a5379730d97236112a78854308db4335d9cb16b1cb3faff02dcec351b282be4e327647f971 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1fbf51b03b55cc679b5f22db8cd6df90 |
| SHA1 | a9d6d9e9e59e26dedc35390111c57174fa9cef8d |
| SHA256 | c15fb70b6b50fff98fc89ea4f068e2202aa1cfbf1e0057041e1485278b9ac625 |
| SHA512 | b8173d7785626f65b43bfd2ac4066c04643b2728615cdf81daa093f652f982c657df1b1f42e8909797507d7f020e243b4740d0dc6bab1fbcff22f15f24ec8665 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 00:38
Reported
2024-05-23 00:41
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5064 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5064 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5064 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1804 wrote to memory of 3904 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1804 wrote to memory of 3904 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1804 wrote to memory of 3904 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b8c56e0fdc4837f16918af417eac64b9 |
| SHA1 | 724db549af5582a3704fa3f9e8dcebc6151503da |
| SHA256 | 4c70e245e85212c4c1b5952d97ec84c1df7354a1d69b98911f57feefc08f26d3 |
| SHA512 | 37aaf2379fe9271ba9a250e28b4ff28efd8f02c8150531e901b8319f4290e6e297db7c85a742cab954b6009a2349e797d8ede05b2657632c6042d727a042658d |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f702a9bd27e5148dd3494d244b951c2e |
| SHA1 | 5ceceb82d31403ac83c4d1162f175fcf4d44073e |
| SHA256 | c0449a31ce1dcedeea0a7b03d31ffe090211880d433d7317ee24284fefcf834a |
| SHA512 | 3188343ceb6e33fcc43222550114a46d09e393a30c3798bb294c31d43b07f012e2e98ca0291688c32665437bc530303f4006a38660280c75facb35f828257708 |