Analysis Overview
SHA256
57fd5519d7e89d811e607ad0f1d3c58d453aa53f445ac6d4118095d298968b1b
Threat Level: Known bad
The file 1f6d5672f8c369bebb0e96ce591cc9c0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 23:39
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 23:39
Reported
2024-06-10 23:41
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f6d5672f8c369bebb0e96ce591cc9c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f6d5672f8c369bebb0e96ce591cc9c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f6d5672f8c369bebb0e96ce591cc9c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f6d5672f8c369bebb0e96ce591cc9c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2984-1-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1481c4b335a4844c661fd6d7b7381523 |
| SHA1 | 01dd23e334ea4298c932ecaba27affd538dfa8b6 |
| SHA256 | d597023c0cf456248451c61c0110df2cf7605e055a210af8ec846f4b4d627bec |
| SHA512 | 5eaeebe208e97bd62f6dd71270162c11652c0bb9e517a612c71e8f569df092bb32bd9f334aad3be869c04b7b31fed35198e75f8947af519087db178f202b0f68 |
memory/2996-9-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2996-11-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d159cb55d9cb1407a7555040f2dd42ae |
| SHA1 | a563c94d89f40a70542245a757115407068ba463 |
| SHA256 | a5f27e2882635c596edca0494321ab2578451bbb13a59683f4ce77a7d57c4b5b |
| SHA512 | a2f2b57e6df8419070c72cdd31306bd5b952b1d548be501ca7bad798c77f0a8d6dd28a159bc4174fffa07fb1800ff1405da465fdce46e6b8bb916c5d07862341 |
memory/2996-14-0x00000000003A0000-0x00000000003CA000-memory.dmp
memory/2996-21-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 28969979a97dbcb5a10783cb0964643b |
| SHA1 | 4be18041342ac2a6ef3764fa783ba72ae953b16e |
| SHA256 | fc205006a0292eebc9592eec89010361766d774f965d918f75d5cbc304731303 |
| SHA512 | 7e1c4c670e4b8155fd857cae60ad1166249929614ac5cb71bc20917d8de4be1791ba29c68159c817722cef5b8f00dac46473276345afa9598e4e4858241939a3 |
memory/1240-26-0x0000000000220000-0x000000000024A000-memory.dmp
memory/1240-31-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2488-34-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 23:39
Reported
2024-06-10 23:41
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f6d5672f8c369bebb0e96ce591cc9c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1f6d5672f8c369bebb0e96ce591cc9c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4204,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4728-1-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1481c4b335a4844c661fd6d7b7381523 |
| SHA1 | 01dd23e334ea4298c932ecaba27affd538dfa8b6 |
| SHA256 | d597023c0cf456248451c61c0110df2cf7605e055a210af8ec846f4b4d627bec |
| SHA512 | 5eaeebe208e97bd62f6dd71270162c11652c0bb9e517a612c71e8f569df092bb32bd9f334aad3be869c04b7b31fed35198e75f8947af519087db178f202b0f68 |
memory/1456-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1456-6-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 94e75237ad8547ff5b22e0e739e2436b |
| SHA1 | 1ccc80f09d44795604b73763d4f1e3761dc9b781 |
| SHA256 | 3090ac2247b8ed33576b3cffea388efaf5caab3136e846692091e89cbd4bc0b5 |
| SHA512 | ef9dee771a5a8e99ef6870f81337cc675a56b6cd681c413b23b510ed2dae4ed7be9f3cea0a15e0a5106604dfe67836ec4c0474409995f6c30ca60ffc2e1d4e53 |
memory/1456-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3164-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3164-16-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6670593b09fca574d25bdbeca45d03d3 |
| SHA1 | 8a03d8dac74db29a4a8cdd141b532ae16369f13b |
| SHA256 | 877c7b17049cf32dfc3325d386dbde12211341c740b9831e3358bf763da1253e |
| SHA512 | de82cb7910be611e7a6966a387b25aebda4e0d5a8a38c57d3411a473adfb31c6c662f11a062b34d1c3a395b3f01b03e03a7885e6e9745bb6787033970dcea3e5 |
memory/4252-17-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4252-19-0x0000000000400000-0x000000000042A000-memory.dmp