Malware Analysis Report

2024-11-16 13:01

Sample ID 240524-gpsthafg77
Target 8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe
SHA256 e441623b3f9fcf537629949deea54867f0e3fcdfa4722afc022b2f2451c32d6e
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e441623b3f9fcf537629949deea54867f0e3fcdfa4722afc022b2f2451c32d6e

Threat Level: Known bad

The file 8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-24 05:59

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 05:59

Reported

2024-05-24 06:01

Platform

win7-20240419-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2656 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2656 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2656 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3040 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3040 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2128 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2128 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2128 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2128 wrote to memory of 1452 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2656-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3040-11-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 950766b18b053ae0a851e7f1b8d3dd69
SHA1 ba64e32dae0f173a8a0ab453721e523676400be2
SHA256 f84601adae395665186749022606c8b9989faff56088ed0f9da1df1175e5de39
SHA512 d48883bc6ca6863004298913a13f4d567aac2419dbc2491027667fdfd4040e52d6b7b1e35c56f2aa96c3bd42dc48c841fefc35cde89284d15144e942f6bc8e77

memory/2656-8-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3040-12-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 93e47cad1b460c166d8d13401bca08ca
SHA1 da8e2d956855ace6cb4cab4b7df8bf8085de0a06
SHA256 6c46590baaab20c4917ddeb4c89cbe41fe8459ae9899c9edaf45d0b0229310b3
SHA512 c236547ccd229b97dbffd9a31aca2bb41c370de7e30616a5da4ed84c6da81ee2e51ce8a1b67f547e61f1cfabe99729c89fbbfa14e4cfcec5b922d127dbba4e5b

memory/3040-17-0x0000000000370000-0x000000000039B000-memory.dmp

memory/3040-24-0x0000000000400000-0x000000000042B000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3266cb19577719c5d96db0a5fd2f63f5
SHA1 dc50566d333d4a16c2f924c08591b79e5be61b46
SHA256 e39722918a72a579b7494d5c563cb7bef578c1fd4ce9a78127365e4cd13a5771
SHA512 e425a4ac501272beb3d982264bcba8ce090f458a49bc80223a076e89617177a3842cc91a7524146bafd215ce00116829ac73fa15bab12b52f81e5271f4dc8dcc

memory/2128-33-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1452-35-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1452-37-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 05:59

Reported

2024-05-24 06:01

Platform

win10v2004-20240226-en

Max time kernel

132s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/4300-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 950766b18b053ae0a851e7f1b8d3dd69
SHA1 ba64e32dae0f173a8a0ab453721e523676400be2
SHA256 f84601adae395665186749022606c8b9989faff56088ed0f9da1df1175e5de39
SHA512 d48883bc6ca6863004298913a13f4d567aac2419dbc2491027667fdfd4040e52d6b7b1e35c56f2aa96c3bd42dc48c841fefc35cde89284d15144e942f6bc8e77

memory/2864-4-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4300-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2864-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 df2379aec2f7f0636d4e8a8ab8ef7db0
SHA1 2f5f6a39dcc613cff8260babb6b831afc6b69532
SHA256 e40eb88c2472a4859d3d0eb5361d3661d45673ac06af74b41d73f79ca0346b75
SHA512 6fb4efb2c5e22fa01e49648d09c1030c4e455e196eb353b5e3f7c68ed1348468d60ff76de3a57a7281afa83e5ec01a26095a231ec739a1f1bcfc3aa4a9223acb

memory/1856-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2864-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1856-14-0x0000000000400000-0x000000000042B000-memory.dmp