Analysis Overview

score

10^/10

SHA256

d31484795baf627696616856ba6d748b9f72e329644b736266bb51ffa5c6537c

Threat Level: Known bad

The file 02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 22:18

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 22:18

Reported

2024-06-08 22:20

Platform

win7-20240221-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2276 wrote to memory of 2200	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 2200	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 2200	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2276 wrote to memory of 2200	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2200 wrote to memory of 2320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2200 wrote to memory of 2320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2200 wrote to memory of 2320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2200 wrote to memory of 2320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2320 wrote to memory of 1496	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 1496	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 1496	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2320 wrote to memory of 1496	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/2276-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2276-8-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	c56c0bef9598b5dc547ab73a23ab9114
SHA1	4d090dfe2bf80f2f5448e36fe479880b89752c30
SHA256	bd663f68410fc4b7fa94282106dad2b3d0a9b071b35b7edc753873f6541ae275
SHA512	8861f588f05131f3654fe2db56268d69739daf33fea20baadd0deb13af56ce69f34d4a9b3d9a77a5ec46e81822b0372d730f30134b15417fc55ca3cfdf3bea9d

memory/2200-10-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2200-12-0x0000000000400000-0x000000000042B000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	ccaa003eabb5b94bb441c0ade5121b99
SHA1	42d279fe92e08275c603d27bbdfb46d6a7058493
SHA256	13d36294d2bd29a57a6a0b9644f18de188f5c396c70098a1793a3d18bdb7e50c
SHA512	8762d82689d0feed670ee509735b3597a32ca3efba76f03fafe60cb10b1b72b04ed7ce647f06a92a93a86293be7d47a36836451dc94c18a5b9e37e26ac6f0f84

memory/2200-17-0x0000000000300000-0x000000000032B000-memory.dmp

memory/2200-23-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2320-25-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	ec0b8560b8b2e6422a7de4f410830a01
SHA1	e368d1900d25530db699e551a316f21715b8e90b
SHA256	bd4c256146ffb60a6cbfe3a6366d4854ded03c2cdfb8e795eaff426338786a3f
SHA512	e57a909e50b22b044c3c3e29f2c1d5a38f158c09be986d582c9e3667511192cad7dd3fa2730686fdeaa9ebc859b2d66257e6a6bfd33cae3af3e69441f27cd986

memory/2320-34-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1496-37-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1496-38-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 22:18

Reported

2024-06-08 22:20

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4816 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4816 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4816 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2036 wrote to memory of 4320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2036 wrote to memory of 4320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2036 wrote to memory of 4320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4320 wrote to memory of 60	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4320 wrote to memory of 60	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4320 wrote to memory of 60	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4100,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	196.249.167.52.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	17.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	24.173.189.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/4816-0-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4816-5-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	c56c0bef9598b5dc547ab73a23ab9114
SHA1	4d090dfe2bf80f2f5448e36fe479880b89752c30
SHA256	bd663f68410fc4b7fa94282106dad2b3d0a9b071b35b7edc753873f6541ae275
SHA512	8861f588f05131f3654fe2db56268d69739daf33fea20baadd0deb13af56ce69f34d4a9b3d9a77a5ec46e81822b0372d730f30134b15417fc55ca3cfdf3bea9d

memory/2036-6-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2036-7-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	a32547da1d775f5e614a35a4192ef9d6
SHA1	1fbd53915756ffee9f7e0b989f1dfde58334536b
SHA256	15dc8937d3c197f71db9146049d5cd3a27d7b1b92cbcdd06a57f9fc47f3f8886
SHA512	43532dc56a2ba96025d6020917cbfc9914fe2a25949749f89db035f7e05f2db7a30cbf883080b8297930111c047789f2e45ae9821396eb1375bc8400bbefd7a0

memory/2036-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4320-13-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	339e609d19cea381d1bd60a457fce223
SHA1	04858d3a668c9ced2fcdad4226c4cc374c2429e5
SHA256	ffabc904d4745e87c49c7313c082534adfe5abce5576b1bc3e236d2ca096f826
SHA512	d534f7c4bb629151370740547bd80f0db68e567fafb8fd0810a42010978fc77f8797abcc864e72cba6f44bdde786386a7fd28eda44dcfdf678fe2cb57be82ae4

memory/4320-16-0x0000000000400000-0x000000000042B000-memory.dmp

memory/60-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/60-20-0x0000000000400000-0x000000000042B000-memory.dmp

Sample ID	240608-171rlshh53
Target	02970d89e3fe7000bc5904735cbe68c0_NeikiAnalytics.exe
SHA256	d31484795baf627696616856ba6d748b9f72e329644b736266bb51ffa5c6537c
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:38

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files