Analysis Overview
SHA256
a662b05a15e3e24dde18490265f30fbb296ff061d1ccb549bf6f48e236bd9b73
Threat Level: Known bad
The file a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-24 06:30
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 06:30
Reported
2024-05-24 06:33
Platform
win7-20240221-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 46ec3288f304757aa581518b5f82a13f |
| SHA1 | 2bbadd644f54c3731a629cfc3550641428914055 |
| SHA256 | 6b3248f4664a09c65f267850ce337d8d6b842a0458f77d24582be08970a0c85a |
| SHA512 | b9674ee4d7e375790a336b93528cfaeea14d5fbedcb9ec6084d738c97c2fac4eea9dd4aaa4865756a151d4978dcfe95f952fcd84e1f01a7ed8f1c966860d104a |
\Windows\SysWOW64\omsecor.exe
| MD5 | 27439e98753d69c55d1ac8cc561e11d9 |
| SHA1 | 54bd24c194c9543009deafb823aa653d723cd5ab |
| SHA256 | bb6b73720dee0a51118b10ed3313840f3d9dce2edcce29d32bd130650c8e985b |
| SHA512 | fddb4c4871bdeb40d3f5975b77add256792a5dbe84987e4489983fe8d09296c2af6468670f81bc7a7bcc3a7e9be34b74181ef3d677decadda3c40129dadd973a |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 22afee455ab54c0de7b1bfa13fe4252f |
| SHA1 | 9d718bc0638f7aaec7a6a0a8f51441d74d8fb5ec |
| SHA256 | a014eb5bf77b4b3421a9f40ad564a1a14b181c7a7e0a83f47355bfe23740e5d0 |
| SHA512 | dddb4f70dcf8b5d8f1ad3704af4cf6566afe4fc53cfb1751cb15fb69da3eb92db2c9b32f5354248a9bf8346f063a0cca4b7a3ab2e316827c759a265acbdb2e18 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 06:30
Reported
2024-05-24 06:33
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3972 wrote to memory of 3816 | N/A | C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3972 wrote to memory of 3816 | N/A | C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3972 wrote to memory of 3816 | N/A | C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3816 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3816 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3816 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a5474a809586ffc50816688408577fe0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| BE | 2.17.196.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 46ec3288f304757aa581518b5f82a13f |
| SHA1 | 2bbadd644f54c3731a629cfc3550641428914055 |
| SHA256 | 6b3248f4664a09c65f267850ce337d8d6b842a0458f77d24582be08970a0c85a |
| SHA512 | b9674ee4d7e375790a336b93528cfaeea14d5fbedcb9ec6084d738c97c2fac4eea9dd4aaa4865756a151d4978dcfe95f952fcd84e1f01a7ed8f1c966860d104a |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 206b64e11b4cfa49af66e161c4cf56a2 |
| SHA1 | 96cf5f0e9d77c19632d920c9b9b4c41b774bb747 |
| SHA256 | d9475d853ce70b69784b2bb695b85d73e24da4306d41d669109477dc26a43689 |
| SHA512 | 63b092557c2008eb376a3653ee5ae8a75cefeb23fd7fec273016f3cc6a84a7358ae164d81f68c543d6beaa25fcc2dea26e1cbf73f1edbe57cacacbe2e275cb83 |