Analysis Overview
SHA256
db3c228f6b57cf7ffb558df74e26eb0d70a4172612921ade44fb8d40e5fe3dd3
Threat Level: Known bad
The file daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-23 15:42
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 15:42
Reported
2024-05-23 15:44
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| BE | 88.221.83.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e8b006bc16a30d1d5849f6481fd4a71c |
| SHA1 | ed57c43123708badb9124900be91e152777f29d0 |
| SHA256 | ada4e1bdf91e4d6940475c35198158ea97b11c369e6c76e21307906bfee4ffd0 |
| SHA512 | a5d945effe782ed2a99b10bc7980351b11a937d4d2068b9b8da6489b58e328b7d8d8c9df911d6108d6c1a18325c73a90b75aad574a66cb52fcc71d516379fa2b |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a41f6b7e1a33e87471c564fb50408d94 |
| SHA1 | ae29f09bdc10fd80ee3dc0ae9d74c60c35df28dd |
| SHA256 | 5ac666066ca5e7d4e81dad0ab68225951d3b37f0e01b6b2470008f292285566e |
| SHA512 | 59c003e24bd5a4dcf1494a0380f3eb5e87ad06f12d946c261b5ccad9364b286461593a625e90c3f2b115ec738fd316f36c4a0e051666f471b541d6cf70b881c0 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 939f343f036be1185399b6692c8b0e41 |
| SHA1 | c38410311f37fdc7897c24aff2ae75e3370356d1 |
| SHA256 | 04080d14634da4dcc28b7f1046b700ece012d423d98ae469127d2f7132bdcb38 |
| SHA512 | 263cc100ad9ce81bab14211cacf2199621153d2d188ed5b1526549b4ef7dfb9daffa9c41d51c97745efe5fd6647e6514c72d67ab87790a8426baa388d9113f7f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 15:42
Reported
2024-05-23 15:44
Platform
win7-20240221-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\daad0af1b433c3db07236e9d895f22a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e8b006bc16a30d1d5849f6481fd4a71c |
| SHA1 | ed57c43123708badb9124900be91e152777f29d0 |
| SHA256 | ada4e1bdf91e4d6940475c35198158ea97b11c369e6c76e21307906bfee4ffd0 |
| SHA512 | a5d945effe782ed2a99b10bc7980351b11a937d4d2068b9b8da6489b58e328b7d8d8c9df911d6108d6c1a18325c73a90b75aad574a66cb52fcc71d516379fa2b |
\Windows\SysWOW64\omsecor.exe
| MD5 | 5b02b95e554e08f07d78ae082012889d |
| SHA1 | edda9b2e214dbac9d5de12bfb16bc922df9a7ff5 |
| SHA256 | ec149a139b17fd220771e07950c97e7b5e5894921e0e2e573b352fdac9a1afb8 |
| SHA512 | 6bb40378ecea28251c4b02dbbe0fb87e3ff7f18fd8b73f3e5ad3f22c8b16f2c6e8a13d957c35c4394880ff90be7cdbbd74650c65a0840d0c5f0c57a13bc607f9 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4464e2911bcda80e9b15196916b09d26 |
| SHA1 | a0015166d4710af9ac7445b58ab5d2932c7580d4 |
| SHA256 | 96529fa514cb6ac79f81a72951fc29de4fb90f39f68b51bb21b81c4cb933e479 |
| SHA512 | cb695ee3a7b6b9f72441e1745ac7a062c35f423251b35459a3e730ca4cbe7be232511e275a35c4be64364d4ad8e14c1483a833f5b426c68ac34d25af175ce339 |