Malware Analysis Report

2024-11-16 13:01

Sample ID 240523-brxmksgf29
Target 6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
SHA256 393101034ff161f0c2f53114a64bab995f92d522095faef29ba281c920c88521
Tags
upx neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

393101034ff161f0c2f53114a64bab995f92d522095faef29ba281c920c88521

Threat Level: Known bad

The file 6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 01:23

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 01:23

Reported

2024-05-23 01:25

Platform

win7-20240508-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1276 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1276 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1276 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1176 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1176 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1176 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1176 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2152 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1276-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 88be7cfa67f782d40bf19595240e2d2c
SHA1 d5dfb84cf19f2c37884418227a5c1362de505f2c
SHA256 7f963ff14affd2eb0ea5cc3f245949bbdf1ee0d8fc1b8702232b9a3f2cacf1df
SHA512 f48fcef3d44bbd58cbcc6b2345c51b5f4e038d99f4f15091693ac53c72c058d41f446882ca953ebdde4fa8afa8b5380ed135e7024bf841dabf0bd55b51c04465

memory/1276-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1176-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1276-10-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1276-8-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1176-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1176-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1176-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1176-24-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 9f8942221136125247d675f919f4ab3b
SHA1 017a65b8066afee82b0b88025d8b25b1d531fc95
SHA256 97295ebc32d9a4a5c640fb322ba8c0a914456e0a2fff91da42d3ce69c2ffa46b
SHA512 682a7f54cf4c3383ae6f39865f03c7eb0d1e9327b1414bcdb6a83f6036f3cbdbf744d788c88342ce33daa489c3d175945fdff5ce162ef979f16f3d94746c6152

memory/1176-28-0x0000000000290000-0x00000000002BD000-memory.dmp

memory/1176-35-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e4d71c5f43daaad2590aafc7d64118e4
SHA1 33e1ccc4afc73d1d09495da774e08da2e3c7a1d5
SHA256 758e25c540967656e9e5e63b646dec3fde118b8cb599bf859caac0ab087fc87f
SHA512 7b3599cb39c68987f5a690dce71a158f5f08408bfa25a0893374ba0a46c1cc914ad3595732fd8321ce54f2a9943397ea534a484a788fa5934a404e66ba8972a9

memory/2152-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1668-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1668-49-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1668-52-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 01:23

Reported

2024-05-23 01:25

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

memory/4480-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 88be7cfa67f782d40bf19595240e2d2c
SHA1 d5dfb84cf19f2c37884418227a5c1362de505f2c
SHA256 7f963ff14affd2eb0ea5cc3f245949bbdf1ee0d8fc1b8702232b9a3f2cacf1df
SHA512 f48fcef3d44bbd58cbcc6b2345c51b5f4e038d99f4f15091693ac53c72c058d41f446882ca953ebdde4fa8afa8b5380ed135e7024bf841dabf0bd55b51c04465

memory/4032-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4480-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4032-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4032-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4032-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4032-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 66c140e0e2ad020e63e8e102adbbcae6
SHA1 bc8ec7fd571687b4131a10e257caeefdf6696849
SHA256 b152c057da98ef1bfdb1f457f0723ce646b3b073c3a823287a83aa1341ec8070
SHA512 fa64b415a3fa304eb2c4063cd7c837a586171ecbe9e06f755e1a631f6093d0ed4df01c71881065bc3b3c68c532d13ad9e106a9e435a2015eb0042b41c8bb398e

memory/4032-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3308-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3308-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3308-25-0x0000000000400000-0x000000000042D000-memory.dmp