Analysis Overview
SHA256
dd25474b303cbfc94f88e06a5c7bab1a417e24fa84d66f0444d2d17664a45bce
Threat Level: Known bad
The file adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-24 04:59
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 04:59
Reported
2024-05-24 05:02
Platform
win7-20231129-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 389f48591ff68c23386ec64598f551cb |
| SHA1 | d63ce4071de4ebb721f766cdaeab4ac47bcd6a4c |
| SHA256 | 5b6c3c237334ef8c5ea14d6dab487a74a48080c8f4bf7eb6e8e93d0527d2ca5e |
| SHA512 | 494ba47fa82e23ff9e9f0dd8ebe81a91d29f1fc8945d8f630d806b5c29e9a0d35ee88442746d96e3a76884d8d11658fb2c8b4b8894e8491340eddbcbefe101e1 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 9582c4cbdb18e452d4dd4e67c948247d |
| SHA1 | 9f1e034176f8fef15f5213e4297e9364593f8adc |
| SHA256 | 392772ac85f22b9f0c95d0a41e3f59b3d8185827ad132476fb5d76ef1ab0628d |
| SHA512 | 08c100a4d84229448754a1777433014646fa2012cbf49bc4c6f8b057200a96170141118a1b0066a1e196b3b4c39a0961dce157af0087a1d92fb1520e5bc22577 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1c6efbc0bb6b7f0d1e63f0eb1bab0472 |
| SHA1 | dae2c091e4b76883b20c5f0694c5e447d6a0dd2a |
| SHA256 | 486ad125475ff5ba551d1b6dc269dd07068f5886569cda7054f33925addf2356 |
| SHA512 | e8e40165245273d86e09fec73daf2bcd6243392b0338c0e24a793e49ad26af8f81c7496aad15e6788b48f307ad4ee7faac7ed5f94dd3841377f8c2704f8adccc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 04:59
Reported
2024-05-24 05:02
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\adc6ecf023607a36859fb7f4ecee1090_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 389f48591ff68c23386ec64598f551cb |
| SHA1 | d63ce4071de4ebb721f766cdaeab4ac47bcd6a4c |
| SHA256 | 5b6c3c237334ef8c5ea14d6dab487a74a48080c8f4bf7eb6e8e93d0527d2ca5e |
| SHA512 | 494ba47fa82e23ff9e9f0dd8ebe81a91d29f1fc8945d8f630d806b5c29e9a0d35ee88442746d96e3a76884d8d11658fb2c8b4b8894e8491340eddbcbefe101e1 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a41db5db837b77b7996818d359e27a70 |
| SHA1 | 91e0d4504de0d389d2d8bd89cbebde4d9c9aa062 |
| SHA256 | f1b0d3ecf51a2b2ca3bce1a65c8aa7e92b9880791d2cec8ce34f97b4cf31084b |
| SHA512 | bf2492a0e9d0fb4af75779d2d90503e06f6efceeadc4c8ae5200fe061a7a4fecc3b33def7e077e2cba223bb32e32a149c53f627961a86e18f38507d3a9bcfac6 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fb78a29e582b8ac876c6ad9d4304c03c |
| SHA1 | 5216342a3d7a3a9f3b2e66b7ed9d533ecb684e65 |
| SHA256 | 362e83e553a84867f409b76c83520a5a3518f8c66d66e27113b91d341830d44d |
| SHA512 | bbf2c88bde3599f2cd40e26562eec1182273afa11cc6bb5c377490fe41f99e5ef03d766e46ff535f94cfd63d86c765b9fe9a3ab63f50b1ff3e64b6ba52343d1b |