Analysis Overview
SHA256
5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182
Threat Level: Known bad
The file 448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-24 06:25
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 06:25
Reported
2024-05-24 06:28
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 66.229.138.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2b7cb605a9a35c95f811cad269f2ba11 |
| SHA1 | a23c1f0c62ddd843f71404e25f85b9f07cff37a6 |
| SHA256 | bc530de8342e917474f2bd9eb4a1a5bbbf94221894f2432a9e5f52086ab96004 |
| SHA512 | fbe02d52113f68409740b0450897bb57eb05c55f2dab7a6d99dba41baa1bf63bcdd609c37d911ecec917534b616750d568ca522ca4363c0671d0495842eb8bab |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 6211c68f4b408a13f301e086c6642ec2 |
| SHA1 | 026b8a1ddce062c3108769fa12216b6220371779 |
| SHA256 | 451a2767160a86f992beec9c354026018ddffe7517fe6a8b742b713c8921819e |
| SHA512 | 9526d70d00575f41b164eb2896332869e189cf6e78ca4b64d3d65898ab73c105f1d58dff4601a1998d29cdbb689f15e6de83a100b9ecffcb8b4593ef818f7d00 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8116833e661b1273bbc53865838efa77 |
| SHA1 | d300c594e96812424c201b68634578972cf48b5b |
| SHA256 | f4cbf6598e3d54ed12b94dda1721bf28a7854aa133426f002af6cdc3688c24d4 |
| SHA512 | 2f82a9cc49285c17638a2709ddf4680f9219aff2b972f895fbdb67f548a2bcaae3601354a1b199d36a07ad68468adfbc0bd7e1d9903bfbfef8f82e5c9bedd612 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 06:25
Reported
2024-05-24 06:28
Platform
win7-20240215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2b7cb605a9a35c95f811cad269f2ba11 |
| SHA1 | a23c1f0c62ddd843f71404e25f85b9f07cff37a6 |
| SHA256 | bc530de8342e917474f2bd9eb4a1a5bbbf94221894f2432a9e5f52086ab96004 |
| SHA512 | fbe02d52113f68409740b0450897bb57eb05c55f2dab7a6d99dba41baa1bf63bcdd609c37d911ecec917534b616750d568ca522ca4363c0671d0495842eb8bab |
\Windows\SysWOW64\omsecor.exe
| MD5 | 6ad4033c8b3922cef3d8781f9c7e3c7b |
| SHA1 | d91b1e19431f5712cb18254d86d68d1aba220888 |
| SHA256 | 20deea230e539335894d8c22f0169daa7bec5687184e0112fe9066c901d872b8 |
| SHA512 | 55607f1b5b09305865f9dbf27d0ef018166ea83035a695171bab19b92fe2fee074b49740b05371573da161425a003b46bd5b5d7213eeb931f57ec29e0d24a2ce |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 615396a6dbd9e0bbbd849cfcc73b2262 |
| SHA1 | 0160cca8f6bbf79cfe1e4a35310fbcbc3b634fcd |
| SHA256 | 3587b80e2dac5f03671272529bb8f0cf4a6e72b3cf0e2667a01cec3ea38d5304 |
| SHA512 | f405789e69d93c52eefc16e08407131400cf2b805cf82b1bacf49000a7b7eb1ea31a134e37ec1ed53210711053f6c9601764c258aeeb7ccd82329c9017b74170 |