Analysis Overview

score

10^/10

SHA256

0bfdf009acefcc18b0e7077b1f7ecdad84cdaa546b792e7376ea9c26f5fdf920

Threat Level: Known bad

The file 83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 02:28

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 02:28

Reported

2024-06-08 02:31

Platform

win7-20240215-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1756 wrote to memory of 1660	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1756 wrote to memory of 1660	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1756 wrote to memory of 1660	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1756 wrote to memory of 1660	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1660 wrote to memory of 2960	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1660 wrote to memory of 2960	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1660 wrote to memory of 2960	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1660 wrote to memory of 2960	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2960 wrote to memory of 1652	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 1652	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 1652	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 1652	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	eb940aa1bc3be9a55183f507eff5da82
SHA1	dccbf1a03912833661c3e1f12def53265b65d327
SHA256	469449f9ed73d3c7eb99e4b011eab00188a4d95073cc9f2e60cf9494b519c332
SHA512	4f9727a81196efbea9888f06d2b06c262606a25dde8f361012f5d1945e155ae96551290174534cdb86ebd2d1934980be605a01fb7cbdad5942f792baf445e644

\Windows\SysWOW64\omsecor.exe

MD5	6d0c1a8db1fde150498a4a5e32bbfff0
SHA1	4c85da8f7f85ebae4091ec56f2472282470ed0fc
SHA256	1547c3ef84ead748b769f6e402c0b79a12a7075d2d4fb77052f0ccd91dc9cdf3
SHA512	f1b766cbb0ef0a0dc270bc41123e2b1702d973d5ea2691066fb05de90377f8af41024b221bbf98763e91d6d84d982d8a98bd87f02a7d6381e455ab6f0aebb345

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	afef870bbd76a4a326b75abcb3137133
SHA1	db849faaa96a36ac9f223b3c23e17c798290126f
SHA256	c358e19f27493ea563e71835d7ef7d77e9bde0ae1f2120306fbbe4dbb7610a28
SHA512	eb9079795680104251179e591efb316ce2908b96393cd8c52eb2027989da99f6448b7080884b2d222cd40775444945f95f1b2e3909d75c0ae4de44d0674deaa2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 02:28

Reported

2024-06-08 02:31

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4948 wrote to memory of 2852	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4948 wrote to memory of 2852	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4948 wrote to memory of 2852	N/A	C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2852 wrote to memory of 4320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2852 wrote to memory of 4320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2852 wrote to memory of 4320	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4320 wrote to memory of 4232	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4320 wrote to memory of 4232	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4320 wrote to memory of 4232	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	149.220.183.52.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53		udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	eb940aa1bc3be9a55183f507eff5da82
SHA1	dccbf1a03912833661c3e1f12def53265b65d327
SHA256	469449f9ed73d3c7eb99e4b011eab00188a4d95073cc9f2e60cf9494b519c332
SHA512	4f9727a81196efbea9888f06d2b06c262606a25dde8f361012f5d1945e155ae96551290174534cdb86ebd2d1934980be605a01fb7cbdad5942f792baf445e644

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	c6b181f080d8adc829d0f602b9bfcb48
SHA1	8e88b19a0a26a5f3863e7219b07a3efbf14e06e0
SHA256	00e2b4511480aeab1794f1d8eaedec3aa157ac060ed42b169d03f20b40d10be0
SHA512	48d80dfb202bf36f0805fd6f7d56058d6cbb48236df385e639c106981a8bda46f056e3c908725240ff320324f127247ce3dc579db1e6a15da54ee80eaf376fab

C:\Windows\SysWOW64\omsecor.exe

MD5	afef870bbd76a4a326b75abcb3137133
SHA1	db849faaa96a36ac9f223b3c23e17c798290126f
SHA256	c358e19f27493ea563e71835d7ef7d77e9bde0ae1f2120306fbbe4dbb7610a28
SHA512	eb9079795680104251179e591efb316ce2908b96393cd8c52eb2027989da99f6448b7080884b2d222cd40775444945f95f1b2e3909d75c0ae4de44d0674deaa2

Sample ID	240608-cydnqage89
Target	83c735b8f1208ad86319bf6bb265c340_NeikiAnalytics.exe
SHA256	0bfdf009acefcc18b0e7077b1f7ecdad84cdaa546b792e7376ea9c26f5fdf920
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:38

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files