Analysis Overview

score

10^/10

SHA256

b8aae0462865bef7a98382d035f364d65c5e6b5b3cfc9e36a9c8569b9c76f7a5

Threat Level: Known bad

The file 05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 21:41

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 21:41

Reported

2024-06-11 21:44

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2576 wrote to memory of 1984	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 1984	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 1984	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2576 wrote to memory of 1984	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1984 wrote to memory of 2940	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1984 wrote to memory of 2940	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1984 wrote to memory of 2940	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1984 wrote to memory of 2940	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2940 wrote to memory of 2452	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2940 wrote to memory of 2452	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2940 wrote to memory of 2452	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2940 wrote to memory of 2452	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	949ecdf9fe779f8e620d40dd676466b4
SHA1	7630c3c41616dc5d88e0ff6cc71af53bd65802fc
SHA256	3e313412cf5cf4922d0d0b482a0aeaf88ff5b816ae286908bbfa852f26b630c8
SHA512	6385122a37832f5e9933aa7658598e9ba364d3448352033c9bf7d6e70b9b091852319847b122dd7c98f9dcd344cb33450d69add072572b0ad46e3163f6ccb3a7

\Windows\SysWOW64\omsecor.exe

MD5	16d75abd274ccf2c9b4dca0ba9a18a42
SHA1	8d23754ed139246a8cc4cdbc44c58855139c8886
SHA256	390e682ff3a43baa1d9ccdce32dafe1f9127b18db6849608cfcf76840bc864b1
SHA512	dbca5c659d8d8cb9a5112263388535bc12d46bf6338feff3b0743f56378e204de5edc57755739cd7288cffd49e0ecfc49e0c2120c900ad2dd376c648c146deb7

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	e3ed415fb2484dc9f5d53cb74fa3ae4a
SHA1	a29835e52959eee0d163514a0ad6a439bd620585
SHA256	e52b1d1eb3280fc7efa8cd0df0ed6999e6322ea2bff88dc0617d90659b9a4fef
SHA512	2b7da9d13598a1e8bddc69bd3462510032c4cef77600a471691659f26514d938e733df3ffd75e0e018417c2e94350e6a7b5b8ae7e01d2dc18fe4541ac9967e11

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 21:41

Reported

2024-06-11 21:44

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 880 wrote to memory of 1652	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 880 wrote to memory of 1652	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 880 wrote to memory of 1652	N/A	C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1652 wrote to memory of 1584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1652 wrote to memory of 1584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1652 wrote to memory of 1584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1584 wrote to memory of 4112	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1584 wrote to memory of 4112	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1584 wrote to memory of 4112	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	249.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
IE	52.111.236.22:443		tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	30.243.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53		udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	949ecdf9fe779f8e620d40dd676466b4
SHA1	7630c3c41616dc5d88e0ff6cc71af53bd65802fc
SHA256	3e313412cf5cf4922d0d0b482a0aeaf88ff5b816ae286908bbfa852f26b630c8
SHA512	6385122a37832f5e9933aa7658598e9ba364d3448352033c9bf7d6e70b9b091852319847b122dd7c98f9dcd344cb33450d69add072572b0ad46e3163f6ccb3a7

C:\Windows\SysWOW64\omsecor.exe

MD5	724b7701dbec1b5e045fdccdbad8e005
SHA1	d8fcde19c1d7c2e3682fc9cf3d054e100817cb98
SHA256	0224875ef1d271e1b912689b194d281d4ae14ee4dcfd998f56a94135da5a1d71
SHA512	c3bb1d5f15d0ca6f826f3fc7ab18f377d864ef1b6b944b00e245ada5304b4ea53a94ff831231fc386e36097dcd9027375343e6c4950fc238af3c07bb43973800

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	af6f3c590bda7fbfdc3e86ee1fd19e4c
SHA1	00bad5d1d6af7b88ef5b7d77503c07f685f7674e
SHA256	2a4c280c050e200549711e208c71ab44534911a1ee439eba7331a4f88b66c5c4
SHA512	2928a573259a211cbd453b8758c1a8a21b6d245d4d8c307edb4123bb4af2ac11182c9375b4d547641bdfed77709a90a27ba5fc3543d1d66e8d1a8fdccdfdd516

Sample ID	240611-1j1fyasgkp
Target	05cb76a1e95343db72e9ce8d8bfb6610_NeikiAnalytics.exe
SHA256	b8aae0462865bef7a98382d035f364d65c5e6b5b3cfc9e36a9c8569b9c76f7a5
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:38

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files