Analysis Overview
SHA256
924c1e7c7bcedbaba20271b0f681868103d46999cdacbee6e51b62a7a4fbcd43
Threat Level: Known bad
The file 7973d9066da647d82396600d464cf940_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 02:37
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 02:37
Reported
2024-05-23 02:40
Platform
win7-20240221-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4a203d0ddbf7945012e29cf25792317f |
| SHA1 | 65f53e66eb8a0b0586530e6f81b160083f119ee6 |
| SHA256 | 0d71fa08c5055f45741c0a3b62ab15adca9288fe76e06ff6e7bc692179274dae |
| SHA512 | b01601e1c76716c1708f01ecd958ddb4b87e54852afcb577e4a9bf85d7db0e9275970eb26fe39c65f90a5065d556502841abb5d54b64379ad25f4fea39a86b67 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 91004a51605d83d59d9d6beea8cbce2c |
| SHA1 | 152de0d2eadec3312a96004030debe1ab59e72cd |
| SHA256 | ec9d362e20ac923dd56c94eb3baae8b46eb056d4b6751e07563fa65d18dfc1da |
| SHA512 | 58db959c67306fff5a0c07846eb184e2b15f8779836f365b9b13e96fe8837fac6bfef6b7b3798154fe3ad60ca7f393b8e42ef6037546d068ce1713f665dac7cc |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c8d3fb0c4a84e064a73070d7ceae2b51 |
| SHA1 | 592dae279a6f530d8ecc3b15889fc2fb5fc5d358 |
| SHA256 | d80378aa9233b5cacaed31fbabc85919657e0003b2932ef7566ae25d0769a901 |
| SHA512 | cc393539df9aeebea7b8888fba01b065cd10cfe269c0810a064f5dbb74a6fec009ade0664e6fd93733c0fec1d3eb0b72b664b50dad87f41d6e91d4529c49d0ee |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 02:37
Reported
2024-05-23 02:40
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7973d9066da647d82396600d464cf940_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4a203d0ddbf7945012e29cf25792317f |
| SHA1 | 65f53e66eb8a0b0586530e6f81b160083f119ee6 |
| SHA256 | 0d71fa08c5055f45741c0a3b62ab15adca9288fe76e06ff6e7bc692179274dae |
| SHA512 | b01601e1c76716c1708f01ecd958ddb4b87e54852afcb577e4a9bf85d7db0e9275970eb26fe39c65f90a5065d556502841abb5d54b64379ad25f4fea39a86b67 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 632ce3d2b6337af28072ec53a280fe9a |
| SHA1 | 1475e096a1e8340b7ce03b7385e85dbe891efdef |
| SHA256 | bbdd12dfe7c94dac6ad66c896528d53c4bf1820affc5736b72952810d3efec17 |
| SHA512 | a4142cf1e1d10dad90b5d6f31208a72aebb58de66142dcc77692748b8bcbbcd71b471c93b3d5079be44c89630a8f063bd7feb245ff85a6673a3c852a93e0fa31 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 70c1747a73fca8df3540150b215056e7 |
| SHA1 | 5f262fadef650ccb3211734b75771aebde72b890 |
| SHA256 | 61a8ae90d4dd70767a3d3b3779ccd1ad11f101cdcb7fe20732707ec166587efe |
| SHA512 | de9402512aae51371ed1c1e672ed87acb835ec5eb667e711d092abdb5cbf666dcb49f9b7dad978f0553bda780e2bd9dc7f25d5ae069ac74c6c0a2a095203d6bd |