Analysis Overview
SHA256
bb298dc0bd16e09c8e916c339bdebfd12002d645745371d61f27f5dc48f8b7f5
Threat Level: Known bad
The file 3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 08:32
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 08:32
Reported
2024-05-23 08:35
Platform
win7-20240508-en
Max time kernel
147s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d57fab3d03ba2c057422b6cadc68d008 |
| SHA1 | 1e5bd0e2ae3716e51f4e182c7557910b5b536959 |
| SHA256 | 3a9ca99328a6dcbf319ceeff23809576d187e90e1e735f46884ac32050f03d74 |
| SHA512 | 8f6edfe7bc42800e0f13c5ac81f161f21f1d0cc90334879921a7d2d9953c3f0c9b465ae674f12291ccfa84cda02fa0674d81bab31ce591d097e6a9e7849e26f5 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 7f0afb356eb4b826e648a789807e40c3 |
| SHA1 | 30f636ca5dcda94af6bad191f2db47f649950872 |
| SHA256 | d32159a9767a3f0cb30e802c51a18f262ddefb88d38f12ddf4d695648ce4dcce |
| SHA512 | b7a235acb930566e5bb6e470fd0701a6a845609a70998bf1fc3247044b138681d9ab001725408cf8cdbed2825c76bc49a271004e8b711448bae7da5a45f95d32 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 00e231e402542677f82b4c994ac8efb5 |
| SHA1 | 50509377533586ef33521ded483e0df4bbe7f53b |
| SHA256 | d9510f47fdc11e52b3509c1c263960b13adc5608d9960d34595a4133719a812d |
| SHA512 | 34472f9b87ea34ce397145c6ebe71fc62df2ccbe1ca623578851c1cf6bbc3eeb4367b175c9d79efdc2e7bd8d273df313d51de1688fe5156771e98c614d1e6194 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 08:32
Reported
2024-05-23 08:35
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3dae0b8e7aaa90368482f1c5b475d330_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d57fab3d03ba2c057422b6cadc68d008 |
| SHA1 | 1e5bd0e2ae3716e51f4e182c7557910b5b536959 |
| SHA256 | 3a9ca99328a6dcbf319ceeff23809576d187e90e1e735f46884ac32050f03d74 |
| SHA512 | 8f6edfe7bc42800e0f13c5ac81f161f21f1d0cc90334879921a7d2d9953c3f0c9b465ae674f12291ccfa84cda02fa0674d81bab31ce591d097e6a9e7849e26f5 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 36961316c43c8ee6ba6e9896df651986 |
| SHA1 | daffbbf0bb5be65e21ace925bc1a2ec31e6661bf |
| SHA256 | 8ff26a6d0b07e32ed60749924c440bf7d8f734eda940a31477c93ca85fb5528d |
| SHA512 | de061992b0127071e7613f345a1911dc501c01c23ad437766759746c1b1610159eef0d9e5044db760100bfc0e80ef79070aa88e088b7be2220327c36f0a4e859 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2a4a0d460e9d7a1460c538fd54a33af7 |
| SHA1 | 57296acc3a5fdf9534938272e04f45049087ccdd |
| SHA256 | a5632f961a61ba10cd7995ae9fa87fbf413cc5b090f61d7e977e8840af7b5076 |
| SHA512 | 298263efe431e59c183c710f08f0046056164d0e095b145279fc66aafee564c1a2420a6990e284b43a86dd05da4e76f2d2877be1dcdf98a2adcb73d881e6e02a |