Malware Analysis Report

2024-11-16 13:01

Sample ID 240524-fmr9hsec73
Target adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe
SHA256 dd25474b303cbfc94f88e06a5c7bab1a417e24fa84d66f0444d2d17664a45bce
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd25474b303cbfc94f88e06a5c7bab1a417e24fa84d66f0444d2d17664a45bce

Threat Level: Known bad

The file adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 04:59

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 04:59

Reported

2024-05-24 05:02

Platform

win7-20231129-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1036 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1036 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1036 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1036 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2824 wrote to memory of 1576 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2824 wrote to memory of 1576 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2824 wrote to memory of 1576 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2824 wrote to memory of 1576 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 389f48591ff68c23386ec64598f551cb
SHA1 d63ce4071de4ebb721f766cdaeab4ac47bcd6a4c
SHA256 5b6c3c237334ef8c5ea14d6dab487a74a48080c8f4bf7eb6e8e93d0527d2ca5e
SHA512 494ba47fa82e23ff9e9f0dd8ebe81a91d29f1fc8945d8f630d806b5c29e9a0d35ee88442746d96e3a76884d8d11658fb2c8b4b8894e8491340eddbcbefe101e1

\Windows\SysWOW64\omsecor.exe

MD5 9582c4cbdb18e452d4dd4e67c948247d
SHA1 9f1e034176f8fef15f5213e4297e9364593f8adc
SHA256 392772ac85f22b9f0c95d0a41e3f59b3d8185827ad132476fb5d76ef1ab0628d
SHA512 08c100a4d84229448754a1777433014646fa2012cbf49bc4c6f8b057200a96170141118a1b0066a1e196b3b4c39a0961dce157af0087a1d92fb1520e5bc22577

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1c6efbc0bb6b7f0d1e63f0eb1bab0472
SHA1 dae2c091e4b76883b20c5f0694c5e447d6a0dd2a
SHA256 486ad125475ff5ba551d1b6dc269dd07068f5886569cda7054f33925addf2356
SHA512 e8e40165245273d86e09fec73daf2bcd6243392b0338c0e24a793e49ad26af8f81c7496aad15e6788b48f307ad4ee7faac7ed5f94dd3841377f8c2704f8adccc

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 04:59

Reported

2024-05-24 05:02

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 389f48591ff68c23386ec64598f551cb
SHA1 d63ce4071de4ebb721f766cdaeab4ac47bcd6a4c
SHA256 5b6c3c237334ef8c5ea14d6dab487a74a48080c8f4bf7eb6e8e93d0527d2ca5e
SHA512 494ba47fa82e23ff9e9f0dd8ebe81a91d29f1fc8945d8f630d806b5c29e9a0d35ee88442746d96e3a76884d8d11658fb2c8b4b8894e8491340eddbcbefe101e1

C:\Windows\SysWOW64\omsecor.exe

MD5 a41db5db837b77b7996818d359e27a70
SHA1 91e0d4504de0d389d2d8bd89cbebde4d9c9aa062
SHA256 f1b0d3ecf51a2b2ca3bce1a65c8aa7e92b9880791d2cec8ce34f97b4cf31084b
SHA512 bf2492a0e9d0fb4af75779d2d90503e06f6efceeadc4c8ae5200fe061a7a4fecc3b33def7e077e2cba223bb32e32a149c53f627961a86e18f38507d3a9bcfac6

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 fb78a29e582b8ac876c6ad9d4304c03c
SHA1 5216342a3d7a3a9f3b2e66b7ed9d533ecb684e65
SHA256 362e83e553a84867f409b76c83520a5a3518f8c66d66e27113b91d341830d44d
SHA512 bbf2c88bde3599f2cd40e26562eec1182273afa11cc6bb5c377490fe41f99e5ef03d766e46ff535f94cfd63d86c765b9fe9a3ab63f50b1ff3e64b6ba52343d1b