Analysis Overview
SHA256
996e6e5bf4da0c16851e78c8ec3bf2796318b4b67379737919f80729144acd11
Threat Level: Known bad
The file 7be6f006702222359aaab85c08030290_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-08 00:34
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 00:34
Reported
2024-06-08 00:37
Platform
win7-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2284-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f8eab149475faa921f14b2d6ccadd28c |
| SHA1 | 47d208c69e0ec49b983c192ccd6ff329569d92a7 |
| SHA256 | 7b3f33915f80c6bafd9864311bcc9a0b597f76f79e5c0ae34ad33d1fffaf740a |
| SHA512 | 9215926e8e7c288cb590b2b0c46911b4c1551e69abb573227e044cb5ad92b307cf2ffeee6658e9d14a6e110d5215e95d99564d036627ff0fc76ee0faafb77797 |
memory/2284-3-0x00000000002B0000-0x00000000002DB000-memory.dmp
memory/2284-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1900-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1900-13-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | e52a462ed278e73936444bb87336ff7e |
| SHA1 | dabdbbb0ba3b7afc7bfa30a9ad12f1cb93dc0258 |
| SHA256 | ecaecc6dc23c292982e68fbedba9cbbfd35262f6d8a435defef501a6123c802e |
| SHA512 | a57cf430b8bb4875979bc557e4121fe3ead053fd16d5d3e7cc706692a8613bc144682e87fb8d6a3f879916b28b95bdb78e4c00a920d7afb22387ee4e23202a46 |
memory/1900-18-0x0000000000310000-0x000000000033B000-memory.dmp
memory/1900-25-0x0000000000400000-0x000000000042B000-memory.dmp
memory/292-28-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1041a33a2d879dcd7546703182f7a90a |
| SHA1 | 45f40a68010ee0a1bd1c5d22fb18119b2241f3e0 |
| SHA256 | f17c231c586187364e5a0005f43aa292f18e15f23acd6df055c15f132d93d425 |
| SHA512 | 0b13af763c3e33af05fcb6f7da6d22d0dbb536d3f90cacabd64b68cd1d8fa4816a1ad4544c273b01372b83e2a9a09403a97e5a7f68034e999bdd46d814455c77 |
memory/292-35-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2236-37-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2236-39-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 00:34
Reported
2024-06-08 00:37
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7be6f006702222359aaab85c08030290_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2656-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f8eab149475faa921f14b2d6ccadd28c |
| SHA1 | 47d208c69e0ec49b983c192ccd6ff329569d92a7 |
| SHA256 | 7b3f33915f80c6bafd9864311bcc9a0b597f76f79e5c0ae34ad33d1fffaf740a |
| SHA512 | 9215926e8e7c288cb590b2b0c46911b4c1551e69abb573227e044cb5ad92b307cf2ffeee6658e9d14a6e110d5215e95d99564d036627ff0fc76ee0faafb77797 |
memory/2656-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1480-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1480-7-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2888-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5a3eeb4e5b26795cc69a24f1089a4f32 |
| SHA1 | 633395304581a413a6ffe07170aaa2f7061f5bdb |
| SHA256 | ce4726e52c1c6518741023309bb9d635858674af6d867527b28f8ef747b99d1d |
| SHA512 | 4db7f5892cbbfcaa2b2ab5ab352c0898694b172927cefad97ced3604745580307c6b5088fdb26fc179b6d0331125eac49d9a120ec71980fe767673b4d0815176 |
memory/2888-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1624-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1480-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4ee7393f37436d2fb0475a188b78a3bd |
| SHA1 | b478c0fbe6d35b5c5dc224f5f5a231b2c59276c8 |
| SHA256 | 1ff8b7c77d5e29170c9cfda99b6cc01bd1881d9dbebe7735c84326f4ea11b0ae |
| SHA512 | 6a55ff70c35609768a29f12b681a1f6888e8d687c5f027eb5897be4dba6b85e195931876eb8252deefe2882a254353e1e323cd29bdc7ba37411ebfaf19bc9659 |
memory/1624-20-0x0000000000400000-0x000000000042B000-memory.dmp