Analysis Overview
SHA256
35dcfd87fd3d7d1d91c78cac90310700be772b010b9a68525a1dfe1f15f7c389
Threat Level: Known bad
The file 1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 22:29
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 22:29
Reported
2024-06-10 22:31
Platform
win7-20240221-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 689fd93e9b76170cac04fbd52ce44cd3 |
| SHA1 | 9fb4868ea7b82afbaf23a76bb49f79d203c7f1aa |
| SHA256 | 7860bc992546d59a1a0697aa596ef1e93c41214b0fe8a2b9ea5243152fc39db8 |
| SHA512 | 2d0ab63aaca4dad33abb731f4f7c58bf3ec2b1e3172b43ef44eb468e5255a3816289a597c8fd1a1442d2939086299f06064a511b915c65b73d1e72bf541515e1 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 779c6702711943293986ec37a71d6d20 |
| SHA1 | 80d6b7320fde2605c38e7dfadc2ad8deaafbb7d1 |
| SHA256 | 8bd8e918130987af998ab2b3fe9961b07f4225420e886e685cebd9eaa613fa27 |
| SHA512 | d30e3d250671cab1049d4ae7c0d4a33331cd2c2ff05b149f2316ccbac73df3ada29b2b2b3481e901695d477b56368d371b2eaa74709fc00b65897b897db512f5 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f484424e8fa7b22a6d720ce7abf6ed51 |
| SHA1 | a111aab6e6aaa38ddf71485c133748267b8abb29 |
| SHA256 | 13b2a92215e1f142d5b3d9d193123c2ba99171afe836fc28dd43026afa48d3e0 |
| SHA512 | 5c4130bffebd1b118599eb4dbc2cdcd90714110f79d21eeee861ff077604cce212c2bca511c83d074c017e246b1112420a692704f7ee1691cde76193a9eda6e5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 22:29
Reported
2024-06-10 22:31
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1116 wrote to memory of 4260 | N/A | C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1116 wrote to memory of 4260 | N/A | C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1116 wrote to memory of 4260 | N/A | C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4260 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4260 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4260 wrote to memory of 3336 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1db3922c69adf6cefc54f3c120ed6950_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 689fd93e9b76170cac04fbd52ce44cd3 |
| SHA1 | 9fb4868ea7b82afbaf23a76bb49f79d203c7f1aa |
| SHA256 | 7860bc992546d59a1a0697aa596ef1e93c41214b0fe8a2b9ea5243152fc39db8 |
| SHA512 | 2d0ab63aaca4dad33abb731f4f7c58bf3ec2b1e3172b43ef44eb468e5255a3816289a597c8fd1a1442d2939086299f06064a511b915c65b73d1e72bf541515e1 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 94a58ee6ee7ab6cdd73e7eb531e7481c |
| SHA1 | b4cdd410632479dd78f55a3de6699664e1ce61a6 |
| SHA256 | 6273a1fbc3c85fd0fd353df8b20ec5a16b510f412a230ba0bb63cc2495907ca6 |
| SHA512 | a21e082ac30889d6e126bd5a6c2c5498f52971ab505d5161c30a45badc6cff5862e287f1cc53114ace472f4291daa84193a507107d33e1c1ddafc2d925837c65 |