Analysis Overview
SHA256
e441623b3f9fcf537629949deea54867f0e3fcdfa4722afc022b2f2451c32d6e
Threat Level: Known bad
The file 8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-24 05:59
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 05:59
Reported
2024-05-24 06:01
Platform
win7-20240419-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2656-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3040-11-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 950766b18b053ae0a851e7f1b8d3dd69 |
| SHA1 | ba64e32dae0f173a8a0ab453721e523676400be2 |
| SHA256 | f84601adae395665186749022606c8b9989faff56088ed0f9da1df1175e5de39 |
| SHA512 | d48883bc6ca6863004298913a13f4d567aac2419dbc2491027667fdfd4040e52d6b7b1e35c56f2aa96c3bd42dc48c841fefc35cde89284d15144e942f6bc8e77 |
memory/2656-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3040-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 93e47cad1b460c166d8d13401bca08ca |
| SHA1 | da8e2d956855ace6cb4cab4b7df8bf8085de0a06 |
| SHA256 | 6c46590baaab20c4917ddeb4c89cbe41fe8459ae9899c9edaf45d0b0229310b3 |
| SHA512 | c236547ccd229b97dbffd9a31aca2bb41c370de7e30616a5da4ed84c6da81ee2e51ce8a1b67f547e61f1cfabe99729c89fbbfa14e4cfcec5b922d127dbba4e5b |
memory/3040-17-0x0000000000370000-0x000000000039B000-memory.dmp
memory/3040-24-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3266cb19577719c5d96db0a5fd2f63f5 |
| SHA1 | dc50566d333d4a16c2f924c08591b79e5be61b46 |
| SHA256 | e39722918a72a579b7494d5c563cb7bef578c1fd4ce9a78127365e4cd13a5771 |
| SHA512 | e425a4ac501272beb3d982264bcba8ce090f458a49bc80223a076e89617177a3842cc91a7524146bafd215ce00116829ac73fa15bab12b52f81e5271f4dc8dcc |
memory/2128-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1452-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1452-37-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 05:59
Reported
2024-05-24 06:01
Platform
win10v2004-20240226-en
Max time kernel
132s
Max time network
141s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4300 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4300 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4300 wrote to memory of 2864 | N/A | C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2864 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2864 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2864 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8c17cdc0555a721bafea19150b695460_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4300-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 950766b18b053ae0a851e7f1b8d3dd69 |
| SHA1 | ba64e32dae0f173a8a0ab453721e523676400be2 |
| SHA256 | f84601adae395665186749022606c8b9989faff56088ed0f9da1df1175e5de39 |
| SHA512 | d48883bc6ca6863004298913a13f4d567aac2419dbc2491027667fdfd4040e52d6b7b1e35c56f2aa96c3bd42dc48c841fefc35cde89284d15144e942f6bc8e77 |
memory/2864-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4300-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2864-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | df2379aec2f7f0636d4e8a8ab8ef7db0 |
| SHA1 | 2f5f6a39dcc613cff8260babb6b831afc6b69532 |
| SHA256 | e40eb88c2472a4859d3d0eb5361d3661d45673ac06af74b41d73f79ca0346b75 |
| SHA512 | 6fb4efb2c5e22fa01e49648d09c1030c4e455e196eb353b5e3f7c68ed1348468d60ff76de3a57a7281afa83e5ec01a26095a231ec739a1f1bcfc3aa4a9223acb |
memory/1856-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2864-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1856-14-0x0000000000400000-0x000000000042B000-memory.dmp