Malware Analysis Report

2024-11-16 13:01

Sample ID 240523-lx5v9ace39
Target a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe
SHA256 b57f0d8b030b35d9596dba5a50a48c054d47a1d0872de9c2af5923a1428b722e
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b57f0d8b030b35d9596dba5a50a48c054d47a1d0872de9c2af5923a1428b722e

Threat Level: Known bad

The file a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 09:55

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 09:55

Reported

2024-05-23 09:58

Platform

win7-20240215-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2192 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2192 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 1640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 1640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 1640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 1640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a20f18a01e00927a280a4c6cf9ebae04
SHA1 23550765ef7e33e94da8093c2179235d2774f7ba
SHA256 fec7578f26f32c3e56c0cd05766e22cdf4d64c9c0b09fdc5a9a496c61f583662
SHA512 e108f448ec13a01ba70ae88892b91bd9eae341d1d249b8208aa67b17709d0463dcc0a09ac180d07ffa9e9c11954f9d87ca2870cc6f53c8ee80ca75fb7464ec39

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 53a3da36fb788726311f33f59b28894f
SHA1 8d21f5d60ac308533f3622a9c8f8f3f093f3b4a5
SHA256 670682baaecabae4eb7ee07e45305e2ef8beabbfcc2ba627746ad4ba42a94c05
SHA512 35992f8dc8b33338232c8a1b7b0145311140538fc6fd73beec1c72aae647296509a2f37fa005cd2266fb9b0f8a611d5db89ac217e29fa5aa5b84cd045e2c2327

C:\Windows\SysWOW64\omsecor.exe

MD5 c0555fa28908c31bb69aeed275d186ce
SHA1 4060c32160f3eeaa57f4d73e29d58849f13151ba
SHA256 dd49042113556d675961b644afd6491a46d76eb5b3aac40d5e9a5b74390bfdf5
SHA512 86f847d20774d02df2900008278b6b4f527746e1d487480ac5ff497ac3eb41a3d62c1d8e183c38ed224c7e3c609ce7818bc7a7a44678a0a6b1b98a11aaf04753

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 09:55

Reported

2024-05-23 09:58

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2beb52326df577c8cc5c857ef4393f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 35.91.124.102:80 ow5dirasuek.com tcp
US 8.8.8.8:53 102.124.91.35.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a20f18a01e00927a280a4c6cf9ebae04
SHA1 23550765ef7e33e94da8093c2179235d2774f7ba
SHA256 fec7578f26f32c3e56c0cd05766e22cdf4d64c9c0b09fdc5a9a496c61f583662
SHA512 e108f448ec13a01ba70ae88892b91bd9eae341d1d249b8208aa67b17709d0463dcc0a09ac180d07ffa9e9c11954f9d87ca2870cc6f53c8ee80ca75fb7464ec39

C:\Windows\SysWOW64\omsecor.exe

MD5 16650101305cee97b895a6c98f1a2393
SHA1 20a9845cdb0b070c7502a6c685fdf2112d1041cf
SHA256 f32e0c42950d5987b3879e06fba9b76da013b88bf210fe729504ea645f0f920b
SHA512 abca0da62ecfd2f97576151cc99ee939bee850d92c68baf297887437687a858888e5c547e89009e3dc6a759413240bb978ddbcbd07cb632d6ce414c74fef624f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e86eb0084f83a12a5fff25b44570e6dc
SHA1 cc957dd132f813597d56cf841a88767213dd6264
SHA256 8e7a45d56cc137d2eb1eb5ca88d0e700b9d551ff201cf2850685bca77f4ec042
SHA512 515bcd86ea3a3ebd18ff9ab994495fa074ece88ac87f1c195cc7478582f972457243bdb198b5c92806e88b1ff523cb8c7bdc6bc7723aea0967381d4ad7cb4fc1