Malware Analysis Report

2024-11-16 13:01

Sample ID 240524-g9rryage4s
Target a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe
SHA256 a662b05a15e3e24dde18490265f30fbb296ff061d1ccb549bf6f48e236bd9b73
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a662b05a15e3e24dde18490265f30fbb296ff061d1ccb549bf6f48e236bd9b73

Threat Level: Known bad

The file a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 06:30

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 06:30

Reported

2024-05-24 06:33

Platform

win7-20240221-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2004 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1100 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1100 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1100 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1100 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1448 wrote to memory of 2104 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1448 wrote to memory of 2104 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1448 wrote to memory of 2104 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1448 wrote to memory of 2104 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 46ec3288f304757aa581518b5f82a13f
SHA1 2bbadd644f54c3731a629cfc3550641428914055
SHA256 6b3248f4664a09c65f267850ce337d8d6b842a0458f77d24582be08970a0c85a
SHA512 b9674ee4d7e375790a336b93528cfaeea14d5fbedcb9ec6084d738c97c2fac4eea9dd4aaa4865756a151d4978dcfe95f952fcd84e1f01a7ed8f1c966860d104a

\Windows\SysWOW64\omsecor.exe

MD5 27439e98753d69c55d1ac8cc561e11d9
SHA1 54bd24c194c9543009deafb823aa653d723cd5ab
SHA256 bb6b73720dee0a51118b10ed3313840f3d9dce2edcce29d32bd130650c8e985b
SHA512 fddb4c4871bdeb40d3f5975b77add256792a5dbe84987e4489983fe8d09296c2af6468670f81bc7a7bcc3a7e9be34b74181ef3d677decadda3c40129dadd973a

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 22afee455ab54c0de7b1bfa13fe4252f
SHA1 9d718bc0638f7aaec7a6a0a8f51441d74d8fb5ec
SHA256 a014eb5bf77b4b3421a9f40ad564a1a14b181c7a7e0a83f47355bfe23740e5d0
SHA512 dddb4f70dcf8b5d8f1ad3704af4cf6566afe4fc53cfb1751cb15fb69da3eb92db2c9b32f5354248a9bf8346f063a0cca4b7a3ab2e316827c759a265acbdb2e18

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 06:30

Reported

2024-05-24 06:33

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
BE 2.17.196.131:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.131:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 131.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 46ec3288f304757aa581518b5f82a13f
SHA1 2bbadd644f54c3731a629cfc3550641428914055
SHA256 6b3248f4664a09c65f267850ce337d8d6b842a0458f77d24582be08970a0c85a
SHA512 b9674ee4d7e375790a336b93528cfaeea14d5fbedcb9ec6084d738c97c2fac4eea9dd4aaa4865756a151d4978dcfe95f952fcd84e1f01a7ed8f1c966860d104a

C:\Windows\SysWOW64\omsecor.exe

MD5 206b64e11b4cfa49af66e161c4cf56a2
SHA1 96cf5f0e9d77c19632d920c9b9b4c41b774bb747
SHA256 d9475d853ce70b69784b2bb695b85d73e24da4306d41d669109477dc26a43689
SHA512 63b092557c2008eb376a3653ee5ae8a75cefeb23fd7fec273016f3cc6a84a7358ae164d81f68c543d6beaa25fcc2dea26e1cbf73f1edbe57cacacbe2e275cb83