Analysis Overview
SHA256
73fe5de551186eeead8479089f355ef818581ab49747610021d0eb3089993cdd
Threat Level: Known bad
The file 0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-10 05:23
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 05:21
Reported
2024-06-10 05:31
Platform
win7-20240508-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | df71adbbbf3182e5b2ca5e6b7e21c8bb |
| SHA1 | 99719de16d9f8b53cbbc2917e8979490c25ba66c |
| SHA256 | 657bb63a0c3c660c3cc6c3fc7862f64676597a7f500b8990d7c68371aa1aa78c |
| SHA512 | b7ebd5d454cb7c59379969c8eb2b606398e28f29150fd676f4c4b874e1a9da1244102a9bf04efbf20eb94ef338b98ac0c10e98c259ec5135b50bd37bb6a3d607 |
\Windows\SysWOW64\omsecor.exe
| MD5 | d71744c1318b74be59e2ca35641727de |
| SHA1 | 0078e363783b397a2ea082fca87ba1f730a80501 |
| SHA256 | bb851f3aa2c5106ee1eb1e7c55a69056ba8e8045cb902c12a1fdc0bb1ebf2a3f |
| SHA512 | 12de1f1d7c7f7ce98dd8628a1a6eae6d1397b20dbb4df15e84a86ff2c42ce93ed5bfc4965bbed153798db7a8ac132030ee62a14162e7bd682122b3cfc40ef57f |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f800e1a929df1bd254470acbef5bea94 |
| SHA1 | bfb3297ad1156c85c027caade7f443b9a32a7ca6 |
| SHA256 | 34a869c618baa507b49a3baf6704cacdfe9fa933f7e208daa84ac8a91937bd86 |
| SHA512 | 18417794aef64fabdbc7281aa5864d5660e894ca90f371fbc5926c9f4d46a81e246f1006109fa364bdf084e8bb8fa79e4a7b072377c56bb9e925b17b7eced382 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 05:21
Reported
2024-06-10 05:32
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1192 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1192 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1228 wrote to memory of 4700 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1228 wrote to memory of 4700 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1228 wrote to memory of 4700 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0a6a9ecc10d726a8a3f35d7ab356f070_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | df71adbbbf3182e5b2ca5e6b7e21c8bb |
| SHA1 | 99719de16d9f8b53cbbc2917e8979490c25ba66c |
| SHA256 | 657bb63a0c3c660c3cc6c3fc7862f64676597a7f500b8990d7c68371aa1aa78c |
| SHA512 | b7ebd5d454cb7c59379969c8eb2b606398e28f29150fd676f4c4b874e1a9da1244102a9bf04efbf20eb94ef338b98ac0c10e98c259ec5135b50bd37bb6a3d607 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a3433375704c6dc5c5e7636711e5734e |
| SHA1 | cccc80f2ef3090fe5f24cf89f059b30869d94e36 |
| SHA256 | 35b24071897ae5eb2cf2bd7834958b0af40c455767dcc4128d456b7da4f4930a |
| SHA512 | 9ca1647ba4fc93f2a957324986bf53850cd165fa3b70bcbb960c30f772687a7b163bb9f961fce987b5b498bbc61ed33ec09584be6ff26789aef8f6fc4f0997b2 |