Malware Analysis Report

2024-11-16 12:59

Sample ID 240523-s5jfjsgb59
Target daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe
SHA256 db3c228f6b57cf7ffb558df74e26eb0d70a4172612921ade44fb8d40e5fe3dd3
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db3c228f6b57cf7ffb558df74e26eb0d70a4172612921ade44fb8d40e5fe3dd3

Threat Level: Known bad

The file daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 15:42

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 15:42

Reported

2024-05-23 15:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
BE 88.221.83.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 52.111.229.48:443 tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e8b006bc16a30d1d5849f6481fd4a71c
SHA1 ed57c43123708badb9124900be91e152777f29d0
SHA256 ada4e1bdf91e4d6940475c35198158ea97b11c369e6c76e21307906bfee4ffd0
SHA512 a5d945effe782ed2a99b10bc7980351b11a937d4d2068b9b8da6489b58e328b7d8d8c9df911d6108d6c1a18325c73a90b75aad574a66cb52fcc71d516379fa2b

C:\Windows\SysWOW64\omsecor.exe

MD5 a41f6b7e1a33e87471c564fb50408d94
SHA1 ae29f09bdc10fd80ee3dc0ae9d74c60c35df28dd
SHA256 5ac666066ca5e7d4e81dad0ab68225951d3b37f0e01b6b2470008f292285566e
SHA512 59c003e24bd5a4dcf1494a0380f3eb5e87ad06f12d946c261b5ccad9364b286461593a625e90c3f2b115ec738fd316f36c4a0e051666f471b541d6cf70b881c0

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 939f343f036be1185399b6692c8b0e41
SHA1 c38410311f37fdc7897c24aff2ae75e3370356d1
SHA256 04080d14634da4dcc28b7f1046b700ece012d423d98ae469127d2f7132bdcb38
SHA512 263cc100ad9ce81bab14211cacf2199621153d2d188ed5b1526549b4ef7dfb9daffa9c41d51c97745efe5fd6647e6514c72d67ab87790a8426baa388d9113f7f

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 15:42

Reported

2024-05-23 15:44

Platform

win7-20240221-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3048 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3048 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3048 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2336 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2336 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1120 wrote to memory of 2812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1120 wrote to memory of 2812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1120 wrote to memory of 2812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1120 wrote to memory of 2812 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e8b006bc16a30d1d5849f6481fd4a71c
SHA1 ed57c43123708badb9124900be91e152777f29d0
SHA256 ada4e1bdf91e4d6940475c35198158ea97b11c369e6c76e21307906bfee4ffd0
SHA512 a5d945effe782ed2a99b10bc7980351b11a937d4d2068b9b8da6489b58e328b7d8d8c9df911d6108d6c1a18325c73a90b75aad574a66cb52fcc71d516379fa2b

\Windows\SysWOW64\omsecor.exe

MD5 5b02b95e554e08f07d78ae082012889d
SHA1 edda9b2e214dbac9d5de12bfb16bc922df9a7ff5
SHA256 ec149a139b17fd220771e07950c97e7b5e5894921e0e2e573b352fdac9a1afb8
SHA512 6bb40378ecea28251c4b02dbbe0fb87e3ff7f18fd8b73f3e5ad3f22c8b16f2c6e8a13d957c35c4394880ff90be7cdbbd74650c65a0840d0c5f0c57a13bc607f9

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 4464e2911bcda80e9b15196916b09d26
SHA1 a0015166d4710af9ac7445b58ab5d2932c7580d4
SHA256 96529fa514cb6ac79f81a72951fc29de4fb90f39f68b51bb21b81c4cb933e479
SHA512 cb695ee3a7b6b9f72441e1745ac7a062c35f423251b35459a3e730ca4cbe7be232511e275a35c4be64364d4ad8e14c1483a833f5b426c68ac34d25af175ce339