Malware Analysis Report

2024-11-16 12:59

Sample ID 240523-azgewsfb92
Target 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe
SHA256 e68c40371975dd0c13314b7e51ae4a64738a5f77c4ddf9709194cb94b4b6ed85
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e68c40371975dd0c13314b7e51ae4a64738a5f77c4ddf9709194cb94b4b6ed85

Threat Level: Known bad

The file 63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 00:38

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 00:38

Reported

2024-05-23 00:41

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2228 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2424 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2424 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2424 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2424 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3004 wrote to memory of 1944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 1944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 1944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3004 wrote to memory of 1944 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b8c56e0fdc4837f16918af417eac64b9
SHA1 724db549af5582a3704fa3f9e8dcebc6151503da
SHA256 4c70e245e85212c4c1b5952d97ec84c1df7354a1d69b98911f57feefc08f26d3
SHA512 37aaf2379fe9271ba9a250e28b4ff28efd8f02c8150531e901b8319f4290e6e297db7c85a742cab954b6009a2349e797d8ede05b2657632c6042d727a042658d

\Windows\SysWOW64\omsecor.exe

MD5 fc260a8fef7306b4614b0bd4168e8f17
SHA1 23c37f25cb4dc0db788cb3eb0a251e0bbd05efad
SHA256 ba317091c63cca3c624e274ecee87cae26144d43868d512782fd33f4fb044b46
SHA512 a6fbdec9b8f25810cc35667a02d1f5ec1c72d3c37e3c8445fcdce4a5379730d97236112a78854308db4335d9cb16b1cb3faff02dcec351b282be4e327647f971

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1fbf51b03b55cc679b5f22db8cd6df90
SHA1 a9d6d9e9e59e26dedc35390111c57174fa9cef8d
SHA256 c15fb70b6b50fff98fc89ea4f068e2202aa1cfbf1e0057041e1485278b9ac625
SHA512 b8173d7785626f65b43bfd2ac4066c04643b2728615cdf81daa093f652f982c657df1b1f42e8909797507d7f020e243b4740d0dc6bab1fbcff22f15f24ec8665

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 00:38

Reported

2024-05-23 00:41

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\63b80b78b63f5395cec182e54926d640_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b8c56e0fdc4837f16918af417eac64b9
SHA1 724db549af5582a3704fa3f9e8dcebc6151503da
SHA256 4c70e245e85212c4c1b5952d97ec84c1df7354a1d69b98911f57feefc08f26d3
SHA512 37aaf2379fe9271ba9a250e28b4ff28efd8f02c8150531e901b8319f4290e6e297db7c85a742cab954b6009a2349e797d8ede05b2657632c6042d727a042658d

C:\Windows\SysWOW64\omsecor.exe

MD5 f702a9bd27e5148dd3494d244b951c2e
SHA1 5ceceb82d31403ac83c4d1162f175fcf4d44073e
SHA256 c0449a31ce1dcedeea0a7b03d31ffe090211880d433d7317ee24284fefcf834a
SHA512 3188343ceb6e33fcc43222550114a46d09e393a30c3798bb294c31d43b07f012e2e98ca0291688c32665437bc530303f4006a38660280c75facb35f828257708