Analysis Overview
SHA256
3b5983bf6ec8ba16dfe76258e5403324fad0a66dc4f2b8be6a6fe3d9a791e06b
Threat Level: Known bad
The file 7108edcbe5eae3bb64cd5bb9dd52ae80_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-07 22:04
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 22:04
Reported
2024-06-07 22:06
Platform
win7-20240215-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7108edcbe5eae3bb64cd5bb9dd52ae80_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7108edcbe5eae3bb64cd5bb9dd52ae80_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7108edcbe5eae3bb64cd5bb9dd52ae80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7108edcbe5eae3bb64cd5bb9dd52ae80_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 07ea994836f0a037562b6064a195aba0 |
| SHA1 | 0932e685dd4849b69e48bc3193ca74b1184f16ec |
| SHA256 | 1c7b6be3b289dac130e721db1b0419d40c7d65b4efefef461b06f682c5c298d7 |
| SHA512 | 902190eb1808372d88bebff536864879ff250e3d9ed2c635dee8c5c4778c54df1f9b28acd830c2570bb343dd02b859ac2cb96f48e00b460bf22aa2f0100ff4d0 |
\Windows\SysWOW64\omsecor.exe
| MD5 | dbf372f1a88e3918d1252f846264926b |
| SHA1 | 56a9efb66dad95831467226cbe631224eddcf41f |
| SHA256 | 02e33c46d94a5bbd6f4df0ec8c407ea0218385dea93b2e91126fcc2b651d4873 |
| SHA512 | c4edd067d1fd54b54eae85e99081424a3799ca9bad3c6a2d9e8fae8fdc04a5d06732e74ea63c3d0f0c7e293443a339276d36d7e15bb94e4879a34cffb4762cf8 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 28fe436f9503eca04d1fa4bcf9d57bfe |
| SHA1 | e269132bcde892efa5cbd552f3e93d078793b926 |
| SHA256 | 64e6cde89d0145965ee0dc40cbf0039aba297c0013c46443ea51ecc8a6a52488 |
| SHA512 | 19ae177630fffe4a01e2a469a2b2e85956c24cd26f73c32ad3595bf07c5f32c6b2ef53b0084fe3d0de10a662d28db31660253bda03bb79e488b4034a594c3742 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 22:04
Reported
2024-06-07 22:06
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7108edcbe5eae3bb64cd5bb9dd52ae80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7108edcbe5eae3bb64cd5bb9dd52ae80_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.147.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 07ea994836f0a037562b6064a195aba0 |
| SHA1 | 0932e685dd4849b69e48bc3193ca74b1184f16ec |
| SHA256 | 1c7b6be3b289dac130e721db1b0419d40c7d65b4efefef461b06f682c5c298d7 |
| SHA512 | 902190eb1808372d88bebff536864879ff250e3d9ed2c635dee8c5c4778c54df1f9b28acd830c2570bb343dd02b859ac2cb96f48e00b460bf22aa2f0100ff4d0 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 850fd4ddfff6f831f44aa301686b7fd9 |
| SHA1 | 57774dedfabf2cf643c246761c8edab65d433940 |
| SHA256 | 2cb3aa7b0243b058450af79c694a612eb092b4997bb47a4e319931612f352506 |
| SHA512 | f436346020485f558f3c99f6eb57d370d61eed57d3bf3a55aa8f28a7b2a6bbb844b536f113053132fcc90ba1e0aecf4ca4b5f3245ec38cac5f6753444a95f507 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6e117db69cf0bc07f65abd4b17919cfa |
| SHA1 | 79eae4644d1a7b5468edc7443ed5144e2fa46d6e |
| SHA256 | 9cd69a535144caf216f3e5bf2603b5d7888c73f196d0e9ee5e4789f146767211 |
| SHA512 | d7ebd72dc4e277f8ee9aefef80d1929b92d75593160daeebdd26bc2de2b4332c173094ab1f70d2b51dac8882ba13af20d3a76ca29f657f11f1ebafedc3cbd4af |