Analysis Overview
SHA256
b9ae3f7c1c219bf84e862d9588da9d34f68f1bbbff242b86c814dcbf4c1b1707
Threat Level: Known bad
The file 0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 03:04
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 03:03
Reported
2024-06-09 03:07
Platform
win7-20240221-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2812-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 66666358dc85a10bb342681b6811942f |
| SHA1 | ba53910509bc01f73a9a97aab3a66e935774f55d |
| SHA256 | c302add7b955f5381fc1a3c1eeac1f54e6929d38e12caa15ccbb130a50356eda |
| SHA512 | 68d7392288d667759aaa520c32cab2bdfb37826f9d32f3834f96fd3adc07715beb779e8ccd46d5586cf7f1b698ad971e217acba1e10a51bdea8718b0c134a942 |
memory/2812-4-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2812-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2632-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2812-13-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2632-14-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | a40048682d5eb5a0bb2df800e9d951ac |
| SHA1 | 24233ee13e5f02d3cf43bccabda471873f4bc73a |
| SHA256 | bc9ae641e32638a924c9b9fed6866fe3072117ccd373c96481c3596fc398cf2f |
| SHA512 | 7d12ba4621523373a3f575ddc424788c8740f709cbe6676011db8056b441c80debc6cacefa905f339dc3dda858411ba4608786ebe6d473beb7194e1e2532e8a8 |
memory/2632-19-0x00000000024F0000-0x000000000251B000-memory.dmp
memory/2632-29-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1432-28-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2632-27-0x00000000024F0000-0x000000000251B000-memory.dmp
memory/1432-30-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 03:03
Reported
2024-06-09 03:07
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3020 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3020 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3020 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3032 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3032 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3032 wrote to memory of 3844 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0cbf8a08556a92c3a9b8be1a0d423a20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 66666358dc85a10bb342681b6811942f |
| SHA1 | ba53910509bc01f73a9a97aab3a66e935774f55d |
| SHA256 | c302add7b955f5381fc1a3c1eeac1f54e6929d38e12caa15ccbb130a50356eda |
| SHA512 | 68d7392288d667759aaa520c32cab2bdfb37826f9d32f3834f96fd3adc07715beb779e8ccd46d5586cf7f1b698ad971e217acba1e10a51bdea8718b0c134a942 |
memory/3032-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3020-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3020-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3032-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | ec9297108db0b0729a7f656009ee53be |
| SHA1 | f8d6a3279893a43c79731bda31691006e3bb43af |
| SHA256 | 511ee3bc0daf8331249374323f1b489782768d85f9eb05d1037805fea0231681 |
| SHA512 | 1142dd43ce9a2fd0b7db09b5752e1ab781cb4157b32c90b9dbd6e2a1ec7ef27ca928d61b6eadd1772d16be536af60b694ce233a12efd816561e30c8792e3f076 |
memory/3032-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3844-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3844-14-0x0000000000400000-0x000000000042B000-memory.dmp