Analysis Overview
SHA256
152aaa164d872394ecd2e4589cb9273b9e23d54e48150d6a88c090978c36744a
Threat Level: Known bad
The file 05dd7aabf2c0d92b5862cc7bda08d830_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 21:41
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 21:41
Reported
2024-06-11 21:44
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05dd7aabf2c0d92b5862cc7bda08d830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05dd7aabf2c0d92b5862cc7bda08d830_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/3380-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ecd06216315150f94d2a6b8e15479a9a |
| SHA1 | 4ab0dc55727484705778dbeaa06597b1a70896ae |
| SHA256 | 1276d9e3c08e91232471b5514363cc7b490fe2c2c94038c2dd8ef3261449c7e4 |
| SHA512 | 7ac33d18ff5e57e92209c06de33f983528e432651286d7da0d8b3c660be6f1512d3582d35e52ad203e574a273b18be8da5290564feb435f063b84f39a60c5a68 |
memory/3380-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4060-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4060-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 4512099e4a7b83fd74279666feef1180 |
| SHA1 | 85eed1c71f27684a18cae5f936cd7d81cf84af93 |
| SHA256 | d0922463aecd87b9f65dc5ab2e1f47bc8ab9a3a99d096303198c312513067994 |
| SHA512 | af52a46b88c328fd73995078c34fcf44bc2b12e7ed8f4b03acc1261363c51f09e57be319c1644140f2a5e4bf3c075a299313f08ff129ad82f5882a4bc6b1109f |
memory/4060-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3400-13-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cc70991de3ea319e5dcbb2e6ef1d07ce |
| SHA1 | 47dd7a994ff6ee6aa4446c532b27a64faeb16778 |
| SHA256 | f0983668090f24476228bc165e892212a41c47145711c52597d0b0b2202bb27a |
| SHA512 | bd3b9d380986443093da44c57eabd5d788eab639258eed5ea652c6fcd3c190e3d9ae891f662e23b2a0ac0f3d608e4eb66aa0e6073fd53b01e93087d0838d4866 |
memory/3400-17-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5064-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5064-20-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 21:41
Reported
2024-06-11 21:44
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05dd7aabf2c0d92b5862cc7bda08d830_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05dd7aabf2c0d92b5862cc7bda08d830_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05dd7aabf2c0d92b5862cc7bda08d830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05dd7aabf2c0d92b5862cc7bda08d830_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2056-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ecd06216315150f94d2a6b8e15479a9a |
| SHA1 | 4ab0dc55727484705778dbeaa06597b1a70896ae |
| SHA256 | 1276d9e3c08e91232471b5514363cc7b490fe2c2c94038c2dd8ef3261449c7e4 |
| SHA512 | 7ac33d18ff5e57e92209c06de33f983528e432651286d7da0d8b3c660be6f1512d3582d35e52ad203e574a273b18be8da5290564feb435f063b84f39a60c5a68 |
memory/2056-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1240-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1240-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | b37665cd831ffccc0fdbd74dfbe5bc00 |
| SHA1 | 9144642d6789d6013f4ca0cc77007cde30ce9106 |
| SHA256 | bc01d90f42f8df10ccb10f13ad08619dbdfafad1b59768258a642df276370dcd |
| SHA512 | e92114418e4442dbc69eb5de1c82c0513d34c718d6d859e78465d930a4b3543931f1b571e6c92f322eaf10b64f01479ccd162c337e8d82003a2752dfbb044fe6 |
memory/1240-21-0x0000000000470000-0x000000000049A000-memory.dmp
memory/1240-20-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1044-23-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 9700f4adedb332cabd8f6af564e32bb0 |
| SHA1 | 7efab1da64255f1a64ddca7c54cf3f74ce709f6b |
| SHA256 | 2dae66e7a8dd41511e9299c414d9d3b47173c827935d3c4a22145ed642067f31 |
| SHA512 | f69468377a6ac55e9080c06daf3f248c94129da6fab15e8d9fd714cbe5d6bb1c73779aaceec3f450feaa0e26a17b89048568bbd4359df753439043c2a01058e7 |
memory/1044-32-0x0000000000400000-0x000000000042A000-memory.dmp
memory/288-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1240-36-0x0000000000470000-0x000000000049A000-memory.dmp
memory/288-37-0x0000000000400000-0x000000000042A000-memory.dmp