Malware Analysis Report

2024-11-16 13:01

Sample ID 240523-c4eg7sba83
Target 7973d9066da647d82396600d464cf940_NeikiAnalytics.exe
SHA256 924c1e7c7bcedbaba20271b0f681868103d46999cdacbee6e51b62a7a4fbcd43
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

924c1e7c7bcedbaba20271b0f681868103d46999cdacbee6e51b62a7a4fbcd43

Threat Level: Known bad

The file 7973d9066da647d82396600d464cf940_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 02:37

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 02:37

Reported

2024-05-23 02:40

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3008 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1796 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1796 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1796 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1796 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2804 wrote to memory of 1376 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2804 wrote to memory of 1376 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2804 wrote to memory of 1376 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2804 wrote to memory of 1376 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4a203d0ddbf7945012e29cf25792317f
SHA1 65f53e66eb8a0b0586530e6f81b160083f119ee6
SHA256 0d71fa08c5055f45741c0a3b62ab15adca9288fe76e06ff6e7bc692179274dae
SHA512 b01601e1c76716c1708f01ecd958ddb4b87e54852afcb577e4a9bf85d7db0e9275970eb26fe39c65f90a5065d556502841abb5d54b64379ad25f4fea39a86b67

\Windows\SysWOW64\omsecor.exe

MD5 91004a51605d83d59d9d6beea8cbce2c
SHA1 152de0d2eadec3312a96004030debe1ab59e72cd
SHA256 ec9d362e20ac923dd56c94eb3baae8b46eb056d4b6751e07563fa65d18dfc1da
SHA512 58db959c67306fff5a0c07846eb184e2b15f8779836f365b9b13e96fe8837fac6bfef6b7b3798154fe3ad60ca7f393b8e42ef6037546d068ce1713f665dac7cc

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c8d3fb0c4a84e064a73070d7ceae2b51
SHA1 592dae279a6f530d8ecc3b15889fc2fb5fc5d358
SHA256 d80378aa9233b5cacaed31fbabc85919657e0003b2932ef7566ae25d0769a901
SHA512 cc393539df9aeebea7b8888fba01b065cd10cfe269c0810a064f5dbb74a6fec009ade0664e6fd93733c0fec1d3eb0b72b664b50dad87f41d6e91d4529c49d0ee

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 02:37

Reported

2024-05-23 02:40

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
US 52.111.227.14:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4a203d0ddbf7945012e29cf25792317f
SHA1 65f53e66eb8a0b0586530e6f81b160083f119ee6
SHA256 0d71fa08c5055f45741c0a3b62ab15adca9288fe76e06ff6e7bc692179274dae
SHA512 b01601e1c76716c1708f01ecd958ddb4b87e54852afcb577e4a9bf85d7db0e9275970eb26fe39c65f90a5065d556502841abb5d54b64379ad25f4fea39a86b67

C:\Windows\SysWOW64\omsecor.exe

MD5 632ce3d2b6337af28072ec53a280fe9a
SHA1 1475e096a1e8340b7ce03b7385e85dbe891efdef
SHA256 bbdd12dfe7c94dac6ad66c896528d53c4bf1820affc5736b72952810d3efec17
SHA512 a4142cf1e1d10dad90b5d6f31208a72aebb58de66142dcc77692748b8bcbbcd71b471c93b3d5079be44c89630a8f063bd7feb245ff85a6673a3c852a93e0fa31

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 70c1747a73fca8df3540150b215056e7
SHA1 5f262fadef650ccb3211734b75771aebde72b890
SHA256 61a8ae90d4dd70767a3d3b3779ccd1ad11f101cdcb7fe20732707ec166587efe
SHA512 de9402512aae51371ed1c1e672ed87acb835ec5eb667e711d092abdb5cbf666dcb49f9b7dad978f0553bda780e2bd9dc7f25d5ae069ac74c6c0a2a095203d6bd