Analysis Overview
SHA256
393101034ff161f0c2f53114a64bab995f92d522095faef29ba281c920c88521
Threat Level: Known bad
The file 6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 01:23
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 01:23
Reported
2024-05-23 01:25
Platform
win7-20240508-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1276-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 88be7cfa67f782d40bf19595240e2d2c |
| SHA1 | d5dfb84cf19f2c37884418227a5c1362de505f2c |
| SHA256 | 7f963ff14affd2eb0ea5cc3f245949bbdf1ee0d8fc1b8702232b9a3f2cacf1df |
| SHA512 | f48fcef3d44bbd58cbcc6b2345c51b5f4e038d99f4f15091693ac53c72c058d41f446882ca953ebdde4fa8afa8b5380ed135e7024bf841dabf0bd55b51c04465 |
memory/1276-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1176-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1276-10-0x0000000000220000-0x000000000024D000-memory.dmp
memory/1276-8-0x0000000000220000-0x000000000024D000-memory.dmp
memory/1176-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1176-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1176-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1176-24-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 9f8942221136125247d675f919f4ab3b |
| SHA1 | 017a65b8066afee82b0b88025d8b25b1d531fc95 |
| SHA256 | 97295ebc32d9a4a5c640fb322ba8c0a914456e0a2fff91da42d3ce69c2ffa46b |
| SHA512 | 682a7f54cf4c3383ae6f39865f03c7eb0d1e9327b1414bcdb6a83f6036f3cbdbf744d788c88342ce33daa489c3d175945fdff5ce162ef979f16f3d94746c6152 |
memory/1176-28-0x0000000000290000-0x00000000002BD000-memory.dmp
memory/1176-35-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e4d71c5f43daaad2590aafc7d64118e4 |
| SHA1 | 33e1ccc4afc73d1d09495da774e08da2e3c7a1d5 |
| SHA256 | 758e25c540967656e9e5e63b646dec3fde118b8cb599bf859caac0ab087fc87f |
| SHA512 | 7b3599cb39c68987f5a690dce71a158f5f08408bfa25a0893374ba0a46c1cc914ad3595732fd8321ce54f2a9943397ea534a484a788fa5934a404e66ba8972a9 |
memory/2152-45-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1668-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1668-49-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1668-52-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 01:23
Reported
2024-05-23 01:25
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4480 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4480 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4480 wrote to memory of 4032 | N/A | C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4032 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4032 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4032 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6c6d3dd62bef9a84fc4f9ca040d8cd50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
memory/4480-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 88be7cfa67f782d40bf19595240e2d2c |
| SHA1 | d5dfb84cf19f2c37884418227a5c1362de505f2c |
| SHA256 | 7f963ff14affd2eb0ea5cc3f245949bbdf1ee0d8fc1b8702232b9a3f2cacf1df |
| SHA512 | f48fcef3d44bbd58cbcc6b2345c51b5f4e038d99f4f15091693ac53c72c058d41f446882ca953ebdde4fa8afa8b5380ed135e7024bf841dabf0bd55b51c04465 |
memory/4032-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4480-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4032-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4032-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4032-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4032-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 66c140e0e2ad020e63e8e102adbbcae6 |
| SHA1 | bc8ec7fd571687b4131a10e257caeefdf6696849 |
| SHA256 | b152c057da98ef1bfdb1f457f0723ce646b3b073c3a823287a83aa1341ec8070 |
| SHA512 | fa64b415a3fa304eb2c4063cd7c837a586171ecbe9e06f755e1a631f6093d0ed4df01c71881065bc3b3c68c532d13ad9e106a9e435a2015eb0042b41c8bb398e |
memory/4032-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3308-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3308-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3308-25-0x0000000000400000-0x000000000042D000-memory.dmp