Analysis Overview
SHA256
f3f0a313306e331089a062918b7e24ca0aeb07ebaf1d0895ec8df9a8654d2f75
Threat Level: Known bad
The file 1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 07:41
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 07:41
Reported
2024-05-23 07:43
Platform
win7-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c664366df778b7cb9af2defa43904937 |
| SHA1 | 1877cad278216c47993f20d324c62ba2f7424120 |
| SHA256 | 1c099876cab02618c6542a209d18711d558661cd03eb96e40603355d2fcf1d73 |
| SHA512 | 1b615aede976e2972d2bed26e73dd068c293fb931dd972b0bd2ab7864984af8affef82394c5f751d43bec03c6bbf77930539f4fec50d388549d83dc2c97c2559 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 78c0efdeba3dba72fde2c50e9847cb8d |
| SHA1 | e9e9f1964cf0ff858372adb4e3a9bdaff369eb21 |
| SHA256 | cfe501177e7e873cf3522dd7a884b7a945dca90d00ff3557264adc6f6aeeabd4 |
| SHA512 | 8ffcc77927e819f95be9176c9063246826231e9b5c04818865a389e09f2f2c45fb0e72e759607a9209233f8a5a57708419e35169f7784659781d9c42e02a76e3 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a9944391bfd14dd474bf11d811e6c0c7 |
| SHA1 | f0966614c99f6a90b82473431a1822a154d094da |
| SHA256 | 6a9a29731d736f0fd7d90294ccc05408413a62dc3d54a65007ec5f16c0dd30ee |
| SHA512 | 21bd974ac4e8a520ab62d58d67996546abaf64390c7b871d713bda38333ca3c80a9e6308e072d7578654300ca8ad98bf468b8ab72f125cbf7f57deea84f9a42a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 07:41
Reported
2024-05-23 07:43
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1889f9d2380a0b437839229a58a57910_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c664366df778b7cb9af2defa43904937 |
| SHA1 | 1877cad278216c47993f20d324c62ba2f7424120 |
| SHA256 | 1c099876cab02618c6542a209d18711d558661cd03eb96e40603355d2fcf1d73 |
| SHA512 | 1b615aede976e2972d2bed26e73dd068c293fb931dd972b0bd2ab7864984af8affef82394c5f751d43bec03c6bbf77930539f4fec50d388549d83dc2c97c2559 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | c01461b4ffbc538b8e3b3b570c142f5b |
| SHA1 | 36da84b63d89159b0a03ebe61929584dbda67d1d |
| SHA256 | 41dee656b5226921150815e37d3b8a2d110c3e76bc4d3c2c54c8077a987e1ebd |
| SHA512 | 754e53aa8c45fa6587a0401caa9e8abdf2e6a9f87a8edd985ac2e3f97e80707278cfdfccfe181ed98a8751b4d3f3d957f7739f1a06cd5c7baa448e1b5858744c |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a1765f2f554a070bcf671e91c91d3e31 |
| SHA1 | db72151e98bad7f6d99554c88d8bf47a95bd98f4 |
| SHA256 | c57610f0f14d60015bf9303657ee31ef6d8ffac9bdc80ff439dbfe61412be66b |
| SHA512 | 3be1c2efdf19a155da8a2d8bd9bcc34b463a949f42943729df6341eb5d90f4b05595c5c77b5286fcadcfbcc778c292e259112e29f0dfceb1316fd7a0bc0c2de3 |