Analysis Overview

score

10^/10

SHA256

eb463c48a9efdee15ea202dc72ee678db9fb50b607e062cbec3fcdaf92bcf9ad

Threat Level: Known bad

The file 7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 00:22

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 00:22

Reported

2024-06-08 00:24

Platform

win7-20240419-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2932 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2932 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2932 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2932 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2380 wrote to memory of 1884	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2380 wrote to memory of 1884	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2380 wrote to memory of 1884	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2380 wrote to memory of 1884	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1884 wrote to memory of 1656	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1884 wrote to memory of 1656	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1884 wrote to memory of 1656	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1884 wrote to memory of 1656	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	64d8940ae3428d339993a804bff01098
SHA1	7e7d78650cdea6c145a29c297561a5cf6f56bbb8
SHA256	722d11ae6fab9db23f4d8e6c74fbe58d1a7217d9b994f2ab246f63f0876a8345
SHA512	a92d23a7810a35d226c55a589d03417c37d10ccb0ab2fc801273f9f3f16aca2526d566e6a5390de68184e928ec6d8e469f8c7ad7c87ca469b5d6b7e80c10ff6a

\Windows\SysWOW64\omsecor.exe

MD5	297ab02206939839185c4af842c55fc0
SHA1	2b556b0b33eb7c61a0d4a648442a7be7e0213138
SHA256	4cb30525723e6f5bdad1c0893323bf3cd47d204372dc1f0aa785ea9a5bbc65cc
SHA512	ff7d9cc99565a73f55291751d314a7faa77b19cb457d4a237e3f9c8d23b7ff0105fa2f017b40383116bcf240a54ccbee3a71a33e118e6e8f3237a123e76e5146

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	3e770b1db210399422e5ca9da1c3b1f2
SHA1	636a75fb354b721f76188f0861572f06994f41e3
SHA256	6508fa2150785142ff98ba4d9bfe7dad1c32cbfafca48e8e9a57cede75d35013
SHA512	84ff39bdf081010b72cc583e0bc3052f97101e1448ef52931cc2f6dffb9dabf5659932365b8b96683c9ff5b74c44b21117962f85a039cd7f87a926bfdf204abb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 00:22

Reported

2024-06-08 00:24

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2960 wrote to memory of 212	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 212	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 212	N/A	C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 212 wrote to memory of 2268	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 212 wrote to memory of 2268	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 212 wrote to memory of 2268	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2268 wrote to memory of 3660	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2268 wrote to memory of 3660	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2268 wrote to memory of 3660	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	71.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	133.211.185.52.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	11.173.189.20.in-addr.arpa	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	64d8940ae3428d339993a804bff01098
SHA1	7e7d78650cdea6c145a29c297561a5cf6f56bbb8
SHA256	722d11ae6fab9db23f4d8e6c74fbe58d1a7217d9b994f2ab246f63f0876a8345
SHA512	a92d23a7810a35d226c55a589d03417c37d10ccb0ab2fc801273f9f3f16aca2526d566e6a5390de68184e928ec6d8e469f8c7ad7c87ca469b5d6b7e80c10ff6a

C:\Windows\SysWOW64\omsecor.exe

MD5	9c09e6e83e6be359dfee271fcb0469ac
SHA1	fe5a6a5f95f310bd02e19bc8d2cc92b76f211dbf
SHA256	210d10515f1c95853d6d881b7db5dac9a719cc0eb6e4ed2715f5f03cdcbf093a
SHA512	7cf04595da7deafd5dbfa7a5255ca067600ccc77df2598257ff693ff054f270cf63260988b4679bd2cf2826bc8b64ba3a7351886447fc7add17b79ae99d5223d

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	37bc8d5011ba09a4603253ff5da941ab
SHA1	eb27bc16988055b0761c6a792c5fac4a8092b1e7
SHA256	5600b3898a4b1e717a465f532ab089b9ed1434f7bd19e732d30a28696ff907e4
SHA512	f1afdec4409d37a5d8f25229f15ef9cf7caf5c0c4b4a97bb9ef4be0996965e7b26376e0f20b7713387e2d7901fd95697ab44dca3ce593623d25a24616035e0e7

Sample ID	240608-an2axsed8s
Target	7b16ab832b6f4b1444c0169b0a780140_NeikiAnalytics.exe
SHA256	eb463c48a9efdee15ea202dc72ee678db9fb50b607e062cbec3fcdaf92bcf9ad
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:36

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files