Analysis Overview

score

10^/10

SHA256

abc9e2b6e7cf4fb197a8fa1e76f5468a81aa02412c39c5096b4e4dfc7d6c63c0

Threat Level: Known bad

The file 0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 10:07

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 10:03

Reported

2024-06-10 10:16

Platform

win7-20240508-en

Max time kernel

83s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2212 wrote to memory of 1856	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 1856	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 1856	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 1856	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1856 wrote to memory of 1020	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1856 wrote to memory of 1020	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1856 wrote to memory of 1020	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1856 wrote to memory of 1020	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1020 wrote to memory of 1624	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1020 wrote to memory of 1624	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1020 wrote to memory of 1624	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1020 wrote to memory of 1624	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	72cfed51be6fce8d8a6c00a2c3b89e02
SHA1	f77f43e12cd1ae6435a19d57b0865124a4c4bd1c
SHA256	e676b76a4ec4d524ad1a7f583a1ed450c9a74542df458226d0913e504dafbf27
SHA512	a67c17ba4f8b7c40557a5cbd404155184c926c38ebfa8292f3d9cbd0db57760c10f7ae7c05794d4433f0dc17fc04c107cca2f778e5e9f478b471bc569b2d79fd

\Windows\SysWOW64\omsecor.exe

MD5	f27863febec2a3ed2cacac8ea3137181
SHA1	7fc76d734b69295a2c59a0fe8ffcf56bd7b4cc70
SHA256	b2d6b64278e985915114eb797cf7f87acb6941d30f45b8c5de646df6edfe9b2d
SHA512	c6a357ffb59b834089c279a89bad58006de6f3f266d3e03a4089242dacdc1557b5eaec4fc5c27d7de411def76a526339345028d731dafb084927ec9ba2c4c20f

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a69acff01ccfcb3cebdc0dfb9c7d48ae
SHA1	b04223e8e0aee57547a59352e43beaa1963baf7a
SHA256	877d2d60ec33703a0c3fc86e7d95b90154a5960fed36f5db7e56d73457e6917e
SHA512	b278274c0307948a2566b1201f6b5a22be906a0405041a924938047f4bf97f2d1a29938fde4a5a04c31daedd46a60fcf6dae7398b094ab9e7065ff9c9fcafcb9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 10:03

Reported

2024-06-10 10:16

Platform

win10v2004-20240508-en

Max time kernel

83s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4776 wrote to memory of 3084	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4776 wrote to memory of 3084	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4776 wrote to memory of 3084	N/A	C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3084 wrote to memory of 4480	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3084 wrote to memory of 4480	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3084 wrote to memory of 4480	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4480 wrote to memory of 4020	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4480 wrote to memory of 4020	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4480 wrote to memory of 4020	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	104.219.191.52.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	209.205.72.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	56.110.63.41.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	72cfed51be6fce8d8a6c00a2c3b89e02
SHA1	f77f43e12cd1ae6435a19d57b0865124a4c4bd1c
SHA256	e676b76a4ec4d524ad1a7f583a1ed450c9a74542df458226d0913e504dafbf27
SHA512	a67c17ba4f8b7c40557a5cbd404155184c926c38ebfa8292f3d9cbd0db57760c10f7ae7c05794d4433f0dc17fc04c107cca2f778e5e9f478b471bc569b2d79fd

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	602808741cce8f49af206c91dd66f8ce
SHA1	15b6e30ebf3544b15e9d836b73ba622bec0fd83f
SHA256	b90270ac0edf28d25d7272e4bbef55892f623ca7f01b793126bbd2e30b067ea5
SHA512	d210ea502aab0d36e85a99fa4a669f993010ffde13fb11c4447a81963b99c747ae2ba91540e8aa5ac52d90f072850a06016e8c5ef446111ac05b37a894ac35da

C:\Windows\SysWOW64\omsecor.exe

MD5	295fd2547c94b2fa6c55b0bc17948dc3
SHA1	ef94c7d6f835e11d2afe0f0cbb45a931e063554b
SHA256	d6725855abd15ce210530f6a22447a977d89b588e3f909ce691620fc875faf0e
SHA512	dea6ceb294436d10aabaace10bf70cf63a86350a8d0a8c9e74a2dc49228467510facb4f382b47a90ecd4689ccc59649b995d364e2d41baaf24c8662765a2f92b

Sample ID	240610-l3dnysfe6x
Target	0e3360ec3bd6dc74ccc543adc54d5340_NeikiAnalytics.exe
SHA256	abc9e2b6e7cf4fb197a8fa1e76f5468a81aa02412c39c5096b4e4dfc7d6c63c0
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:35

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files