Analysis Overview
SHA256
2ed200c727811e5fd928848a6d0131618e2e59195b945d076a04b47bd2d98bfe
Threat Level: Known bad
The file 0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 04:26
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 04:26
Reported
2024-06-09 04:28
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4364 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4364 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4364 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2580 wrote to memory of 3048 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2580 wrote to memory of 3048 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2580 wrote to memory of 3048 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 84886f634019a6e8697756417f103e44 |
| SHA1 | b4ed1ba65002f222596c4ed010a01342d739a7ba |
| SHA256 | 94de9aad899088e368a87b84edc0e1a1d70213f86b5f34a8e0bbca0924c759ea |
| SHA512 | 16f18947e085e91eb5c41e7f7360907f9fec0549892b241d909d44a5a88e5f0237dccc7ef5181afa5b36548043bfb4a97d4a1b8b8c821f11d0800f6183b40825 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 32c78a437f970901fd855e9b4918fbac |
| SHA1 | 9d663a18889d25a4749aa005973348fc09204978 |
| SHA256 | 3f136b3b1e2575154b4c7ce1bfa1bc97c383e159fa5b6e0c89e084ea709f3c01 |
| SHA512 | d709725f9ab304df0434bd50defd98714fe4f31463af311cfa77286edd764bb9544c43ec15b2896cc9f2762c242d0dcfddd71cc6df00d81754667b683b85bf94 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 04:26
Reported
2024-06-09 04:28
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f33803ad4a6eab18c108a93e8ed6e00_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 84886f634019a6e8697756417f103e44 |
| SHA1 | b4ed1ba65002f222596c4ed010a01342d739a7ba |
| SHA256 | 94de9aad899088e368a87b84edc0e1a1d70213f86b5f34a8e0bbca0924c759ea |
| SHA512 | 16f18947e085e91eb5c41e7f7360907f9fec0549892b241d909d44a5a88e5f0237dccc7ef5181afa5b36548043bfb4a97d4a1b8b8c821f11d0800f6183b40825 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 98392baa0e4905edbef23126314bb727 |
| SHA1 | 8085c6bc51d2a0fa2852de20f977ac83eb3eaa5d |
| SHA256 | 5dd053d5d1735533f3b1a7fb0f8b1822b36868778199cb365ed79cc05a546ef0 |
| SHA512 | 9143e04ca43284d59cb4cd6fa17e3588c9bb633942244387da7d30a8ad52398b50a0c1d28d2f0edd243a8d4a7c07a06b843084a0da0277e3513636732cb3a9e7 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2f0ad54b466e555bd7c4deff0b112a0c |
| SHA1 | 1a75c462e853062585127560dcabe271043f9d11 |
| SHA256 | 5e0ad9e5a17dc85025282a61de161ba3a53c804821ce878e69fbf66f23bbaf0e |
| SHA512 | 4dbc17b1ae0fd14033ae012d582d8aa8ccf05b3ebf47e2bf3df812b6a237b48fe455b7663d2b5be7dcff05c5654e383d15fdb254bcf59ddd3558eedfea56e64f |