Analysis Overview
SHA256
b57f0d8b030b35d9596dba5a50a48c054d47a1d0872de9c2af5923a1428b722e
Threat Level: Known bad
The file a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 09:55
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 09:55
Reported
2024-05-23 09:58
Platform
win7-20240215-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a20f18a01e00927a280a4c6cf9ebae04 |
| SHA1 | 23550765ef7e33e94da8093c2179235d2774f7ba |
| SHA256 | fec7578f26f32c3e56c0cd05766e22cdf4d64c9c0b09fdc5a9a496c61f583662 |
| SHA512 | e108f448ec13a01ba70ae88892b91bd9eae341d1d249b8208aa67b17709d0463dcc0a09ac180d07ffa9e9c11954f9d87ca2870cc6f53c8ee80ca75fb7464ec39 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 53a3da36fb788726311f33f59b28894f |
| SHA1 | 8d21f5d60ac308533f3622a9c8f8f3f093f3b4a5 |
| SHA256 | 670682baaecabae4eb7ee07e45305e2ef8beabbfcc2ba627746ad4ba42a94c05 |
| SHA512 | 35992f8dc8b33338232c8a1b7b0145311140538fc6fd73beec1c72aae647296509a2f37fa005cd2266fb9b0f8a611d5db89ac217e29fa5aa5b84cd045e2c2327 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | c0555fa28908c31bb69aeed275d186ce |
| SHA1 | 4060c32160f3eeaa57f4d73e29d58849f13151ba |
| SHA256 | dd49042113556d675961b644afd6491a46d76eb5b3aac40d5e9a5b74390bfdf5 |
| SHA512 | 86f847d20774d02df2900008278b6b4f527746e1d487480ac5ff497ac3eb41a3d62c1d8e183c38ed224c7e3c609ce7818bc7a7a44678a0a6b1b98a11aaf04753 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 09:55
Reported
2024-05-23 09:58
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 35.91.124.102:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 102.124.91.35.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a20f18a01e00927a280a4c6cf9ebae04 |
| SHA1 | 23550765ef7e33e94da8093c2179235d2774f7ba |
| SHA256 | fec7578f26f32c3e56c0cd05766e22cdf4d64c9c0b09fdc5a9a496c61f583662 |
| SHA512 | e108f448ec13a01ba70ae88892b91bd9eae341d1d249b8208aa67b17709d0463dcc0a09ac180d07ffa9e9c11954f9d87ca2870cc6f53c8ee80ca75fb7464ec39 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 16650101305cee97b895a6c98f1a2393 |
| SHA1 | 20a9845cdb0b070c7502a6c685fdf2112d1041cf |
| SHA256 | f32e0c42950d5987b3879e06fba9b76da013b88bf210fe729504ea645f0f920b |
| SHA512 | abca0da62ecfd2f97576151cc99ee939bee850d92c68baf297887437687a858888e5c547e89009e3dc6a759413240bb978ddbcbd07cb632d6ce414c74fef624f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e86eb0084f83a12a5fff25b44570e6dc |
| SHA1 | cc957dd132f813597d56cf841a88767213dd6264 |
| SHA256 | 8e7a45d56cc137d2eb1eb5ca88d0e700b9d551ff201cf2850685bca77f4ec042 |
| SHA512 | 515bcd86ea3a3ebd18ff9ab994495fa074ece88ac87f1c195cc7478582f972457243bdb198b5c92806e88b1ff523cb8c7bdc6bc7723aea0967381d4ad7cb4fc1 |