Malware Analysis Report

2024-11-16 13:01

Sample ID 240524-g6yfbagc83
Target 448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe
SHA256 5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f023ef87897ed5247a0b04a60fb11bf947d61b6a47dd8f5ebea93ef95112182

Threat Level: Known bad

The file 448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 06:25

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 06:25

Reported

2024-05-24 06:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2b7cb605a9a35c95f811cad269f2ba11
SHA1 a23c1f0c62ddd843f71404e25f85b9f07cff37a6
SHA256 bc530de8342e917474f2bd9eb4a1a5bbbf94221894f2432a9e5f52086ab96004
SHA512 fbe02d52113f68409740b0450897bb57eb05c55f2dab7a6d99dba41baa1bf63bcdd609c37d911ecec917534b616750d568ca522ca4363c0671d0495842eb8bab

C:\Windows\SysWOW64\omsecor.exe

MD5 6211c68f4b408a13f301e086c6642ec2
SHA1 026b8a1ddce062c3108769fa12216b6220371779
SHA256 451a2767160a86f992beec9c354026018ddffe7517fe6a8b742b713c8921819e
SHA512 9526d70d00575f41b164eb2896332869e189cf6e78ca4b64d3d65898ab73c105f1d58dff4601a1998d29cdbb689f15e6de83a100b9ecffcb8b4593ef818f7d00

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 8116833e661b1273bbc53865838efa77
SHA1 d300c594e96812424c201b68634578972cf48b5b
SHA256 f4cbf6598e3d54ed12b94dda1721bf28a7854aa133426f002af6cdc3688c24d4
SHA512 2f82a9cc49285c17638a2709ddf4680f9219aff2b972f895fbdb67f548a2bcaae3601354a1b199d36a07ad68468adfbc0bd7e1d9903bfbfef8f82e5c9bedd612

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 06:25

Reported

2024-05-24 06:28

Platform

win7-20240215-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2388 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2388 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2388 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2360 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2360 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2956 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2956 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2956 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2956 wrote to memory of 328 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\448a0003171b766520b14466ec51c4a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 2b7cb605a9a35c95f811cad269f2ba11
SHA1 a23c1f0c62ddd843f71404e25f85b9f07cff37a6
SHA256 bc530de8342e917474f2bd9eb4a1a5bbbf94221894f2432a9e5f52086ab96004
SHA512 fbe02d52113f68409740b0450897bb57eb05c55f2dab7a6d99dba41baa1bf63bcdd609c37d911ecec917534b616750d568ca522ca4363c0671d0495842eb8bab

\Windows\SysWOW64\omsecor.exe

MD5 6ad4033c8b3922cef3d8781f9c7e3c7b
SHA1 d91b1e19431f5712cb18254d86d68d1aba220888
SHA256 20deea230e539335894d8c22f0169daa7bec5687184e0112fe9066c901d872b8
SHA512 55607f1b5b09305865f9dbf27d0ef018166ea83035a695171bab19b92fe2fee074b49740b05371573da161425a003b46bd5b5d7213eeb931f57ec29e0d24a2ce

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 615396a6dbd9e0bbbd849cfcc73b2262
SHA1 0160cca8f6bbf79cfe1e4a35310fbcbc3b634fcd
SHA256 3587b80e2dac5f03671272529bb8f0cf4a6e72b3cf0e2667a01cec3ea38d5304
SHA512 f405789e69d93c52eefc16e08407131400cf2b805cf82b1bacf49000a7b7eb1ea31a134e37ec1ed53210711053f6c9601764c258aeeb7ccd82329c9017b74170