Malware Analysis Report

2024-11-16 13:01

Sample ID 240523-kfrrmaah37
Target 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
SHA256 bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5

Threat Level: Known bad

The file 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 08:32

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 08:32

Reported

2024-05-23 08:35

Platform

win7-20240508-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1548 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1236 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1236 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1236 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1236 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2772 wrote to memory of 1640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2772 wrote to memory of 1640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2772 wrote to memory of 1640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2772 wrote to memory of 1640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d57fab3d03ba2c057422b6cadc68d008
SHA1 1e5bd0e2ae3716e51f4e182c7557910b5b536959
SHA256 3a9ca99328a6dcbf319ceeff23809576d187e90e1e735f46884ac32050f03d74
SHA512 8f6edfe7bc42800e0f13c5ac81f161f21f1d0cc90334879921a7d2d9953c3f0c9b465ae674f12291ccfa84cda02fa0674d81bab31ce591d097e6a9e7849e26f5

\Windows\SysWOW64\omsecor.exe

MD5 7f0afb356eb4b826e648a789807e40c3
SHA1 30f636ca5dcda94af6bad191f2db47f649950872
SHA256 d32159a9767a3f0cb30e802c51a18f262ddefb88d38f12ddf4d695648ce4dcce
SHA512 b7a235acb930566e5bb6e470fd0701a6a845609a70998bf1fc3247044b138681d9ab001725408cf8cdbed2825c76bc49a271004e8b711448bae7da5a45f95d32

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 00e231e402542677f82b4c994ac8efb5
SHA1 50509377533586ef33521ded483e0df4bbe7f53b
SHA256 d9510f47fdc11e52b3509c1c263960b13adc5608d9960d34595a4133719a812d
SHA512 34472f9b87ea34ce397145c6ebe71fc62df2ccbe1ca623578851c1cf6bbc3eeb4367b175c9d79efdc2e7bd8d273df313d51de1688fe5156771e98c614d1e6194

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 08:32

Reported

2024-05-23 08:35

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d57fab3d03ba2c057422b6cadc68d008
SHA1 1e5bd0e2ae3716e51f4e182c7557910b5b536959
SHA256 3a9ca99328a6dcbf319ceeff23809576d187e90e1e735f46884ac32050f03d74
SHA512 8f6edfe7bc42800e0f13c5ac81f161f21f1d0cc90334879921a7d2d9953c3f0c9b465ae674f12291ccfa84cda02fa0674d81bab31ce591d097e6a9e7849e26f5

C:\Windows\SysWOW64\omsecor.exe

MD5 36961316c43c8ee6ba6e9896df651986
SHA1 daffbbf0bb5be65e21ace925bc1a2ec31e6661bf
SHA256 8ff26a6d0b07e32ed60749924c440bf7d8f734eda940a31477c93ca85fb5528d
SHA512 de061992b0127071e7613f345a1911dc501c01c23ad437766759746c1b1610159eef0d9e5044db760100bfc0e80ef79070aa88e088b7be2220327c36f0a4e859

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2a4a0d460e9d7a1460c538fd54a33af7
SHA1 57296acc3a5fdf9534938272e04f45049087ccdd
SHA256 a5632f961a61ba10cd7995ae9fa87fbf413cc5b090f61d7e977e8840af7b5076
SHA512 298263efe431e59c183c710f08f0046056164d0e095b145279fc66aafee564c1a2420a6990e284b43a86dd05da4e76f2d2877be1dcdf98a2adcb73d881e6e02a