Analysis Overview
SHA256
e66c6a8c77184285cc0b03571ec3694c334cf1a56b089ea5abf02d7dfa26af26
Threat Level: Known bad
The file 77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 02:26
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 02:26
Reported
2024-05-23 02:28
Platform
win7-20240220-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2912-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2912-8-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c3298ed9da3fd6921d6d1b14cca1ab65 |
| SHA1 | 69a15043f2b2296132edfe770bb75852cfc60247 |
| SHA256 | e20cad1b2606146de40b024eb98a7369eea7e079c015a2a9dfad62bbffe28c2d |
| SHA512 | f9eeb908be9264a772c70c8566ce8d4f0516da12859af4a1cfca87569027b4d2c58263661534b6939de2177636021370f84da061085bf9fc3349ee531528767e |
memory/2992-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2992-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 3b3ef359003f13ffddb4247b4699a407 |
| SHA1 | dcffc735eef571583ab0c3aa9e0016c472b76827 |
| SHA256 | 593732737355806f2c28004c1f037642f8685c6499c98580016966a27d5e7adf |
| SHA512 | 24b4c7e4127cad32ed0e53aa12f0071efa2f6e33950cb02cfd57dd92f82a3c3ad46aa17a54b892105227165f64f0e95d68cd5196fa174cc8d0b3bb8e0ece72d1 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 808d38c503420b28a362b339f44f901d |
| SHA1 | 00e872de4fca40bca73bf60a446ead65ddb6f4c8 |
| SHA256 | eb72a385e62d1573c772202e9f7d71ddabb9782dab92b59b2ec52f125e69711f |
| SHA512 | de396994af82f123a61d46beabcef3d6cc6c6d94cb1d15d36f634cd7f66910822b26ee31037f193f0cb8171950fbf2677856f30e14f173ef5a8ba6a3d47dbc8b |
memory/1500-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1800-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1800-26-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2992-22-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1500-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 02:26
Reported
2024-05-23 02:28
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\77bc636ff796f371de0293a5706729b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/3076-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c3298ed9da3fd6921d6d1b14cca1ab65 |
| SHA1 | 69a15043f2b2296132edfe770bb75852cfc60247 |
| SHA256 | e20cad1b2606146de40b024eb98a7369eea7e079c015a2a9dfad62bbffe28c2d |
| SHA512 | f9eeb908be9264a772c70c8566ce8d4f0516da12859af4a1cfca87569027b4d2c58263661534b6939de2177636021370f84da061085bf9fc3349ee531528767e |
memory/3300-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3076-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3300-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a9aabe5b44e6dff47047bf6fe008584e |
| SHA1 | e3c6ea8afde7a53bdea2104d38d4c97d63990eef |
| SHA256 | e2647e7fcebcd9126a337aa542b69e605e1397079cac832158e4c315b7ed623b |
| SHA512 | bcdadf27e29b8d565dcc7e31e759e5bba0bbdc0500bc8f0592de691e2330603c33e9b3b08304e419ccc9229b853a4861401caedcf5114d55a81482ad91c9a734 |
memory/2512-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3300-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2264-18-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 9a0f907be9ce87e8f07975ed78aacf84 |
| SHA1 | 6734dc8ee32548c49a10dfb8fb198176817108db |
| SHA256 | 9f0a4f6cec1246ec896785bf06eadf8eef0e5d5e77b315d865af604839ad6357 |
| SHA512 | 80c55283a56fc5f12dd8861c351e2dc4d21eeb9bc19dddb5b7466a051ec580be429bb2afc1af819a2ee21d4b993d113e9b7cc3a8b3b98c196c5ff74a21f012f1 |
memory/2512-16-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2264-20-0x0000000000400000-0x000000000042B000-memory.dmp