Analysis Overview
SHA256
d3892ab51867b39296f5e3dbf80326ac26af2f694951bbc359142989e1e00968
Threat Level: Known bad
The file 175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 08:19
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 08:19
Reported
2024-06-09 08:22
Platform
win7-20240220-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2228-12-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6915932c28c0b1e6603592398e25b5d4 |
| SHA1 | e403b1b7b58e57af03ac6bc803d0d2c6f7a30879 |
| SHA256 | b56a8f0a56ff26cbd2617b77293d8bd067a915d6996a8aab6bc9a24297094f57 |
| SHA512 | fd1ee9f8f6f9c83791219d589176ad7a93c69ede542df1ec4ff8b91aa75b8773d16cfef8e4be65179b026bc56661f2ba9ffd7f1e4808feb24dcc8528cf8b3a86 |
memory/3028-4-0x0000000000220000-0x000000000024D000-memory.dmp
memory/3028-3-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2228-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2228-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2228-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2228-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d40f0b74a36b428b6096cc9561e038ca |
| SHA1 | 08e71ace3c62addc13d9276fbc56c212938460bb |
| SHA256 | 93797bfacea77a0e505fda3c23f4b396f42fe5f99001ba8754fafee5abea0257 |
| SHA512 | 53ec26dbf9ccfd33c61d9ef09d47588b680d5bcc0df2517242fb32a89f5b5129ae03797d8cd67b364c3581901a10faa7bbe026a364b1885a97ad11e509ada04b |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6d0018779111920b335cc8fd8d5a78e9 |
| SHA1 | 2cb5e17d2e2495fbd52cb8e776673695039cfaf9 |
| SHA256 | 7741d9f4c7253fcddc73525497d5b6e0ba3b5b24078efe7a72b29059086175e0 |
| SHA512 | 8e2ce44af98ded6b75997318d82ec11e681676df5d9ec227cde1ed356708e9c02e1cb46a969c2869dd804f6bf2b535e66ae156571a72e603734fad9c571b6bad |
memory/1632-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2200-44-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2200-34-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2228-32-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2228-25-0x0000000000430000-0x000000000045D000-memory.dmp
memory/1632-51-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 08:19
Reported
2024-06-09 08:22
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\175042bbe00a4a4a19ff0a5350a75220_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2836-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6915932c28c0b1e6603592398e25b5d4 |
| SHA1 | e403b1b7b58e57af03ac6bc803d0d2c6f7a30879 |
| SHA256 | b56a8f0a56ff26cbd2617b77293d8bd067a915d6996a8aab6bc9a24297094f57 |
| SHA512 | fd1ee9f8f6f9c83791219d589176ad7a93c69ede542df1ec4ff8b91aa75b8773d16cfef8e4be65179b026bc56661f2ba9ffd7f1e4808feb24dcc8528cf8b3a86 |
memory/2836-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1792-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1792-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1792-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1792-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1792-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a547a57f5e55bd9c921fb644715efcf0 |
| SHA1 | f19c6d51523c662ee3efd9cfa384445a51f6400e |
| SHA256 | e20103bd3142d568e408b762a3fdce2663948cd4d8c0d00f44f6a87756e045ba |
| SHA512 | 1f383ea46872b97b7eff6035db8a6caebaea642db9d6e43156fb701477bdd0b3643487b1069180d81f1d3fe7455167743196250ce8f4109eb61f7a49374634ab |
memory/1752-27-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1804-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1804-21-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 83c8ac7f85c968f71382571518e6f1d8 |
| SHA1 | ee371b6ef8ed69f02c8476b0b4587591341b415d |
| SHA256 | 2eea9920c86c7999b8d4e440991b8e62cde1bc9885f25bef24c000da4c1b4372 |
| SHA512 | 127fb87d275a6df1306bc3638dc5b28decca201ba6e00b548d53580547459770fe2b89a524db1b1a3547f7582244df14e1e134a698d4c55055e010b5ce7a84f2 |
memory/1792-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1752-29-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1752-32-0x0000000000400000-0x000000000042D000-memory.dmp