Analysis Overview
SHA256
ca7fd7f910be26df06c06740c8091c2fd33637f124a08609fbaa132ce3f7cf1c
Threat Level: Known bad
The file 2074e724af43717953b54875312e42c0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 00:14
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 00:14
Reported
2024-06-11 00:16
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2074e724af43717953b54875312e42c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2074e724af43717953b54875312e42c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2074e724af43717953b54875312e42c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2074e724af43717953b54875312e42c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/1960-1-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 95b376049e904189a89fb8d1f3d354bb |
| SHA1 | e675b4f3f7c36ff4b0e191fb6b2408840b1d8e3f |
| SHA256 | a7cfbca6a1b0896d944c754e8272844bee7cdf7851d54f992eaee21248a086de |
| SHA512 | 802f420fca13c314a8c5e83d42b1fcd5a81438252e74090444898a9607b7d1e1f930d5820417efba59a2a400968bb0a7d7651d449fa4fd2c9ba62cd0d0be19e4 |
memory/1848-9-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1848-11-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | d681bfadcee6894bdc5dd2428666e0a5 |
| SHA1 | e5c533daac6cdbb0613e9c9625efa714978aa1c0 |
| SHA256 | 76b5cb298b171468bd45e137c89a0fe7ca006343388fd41140256927e660f092 |
| SHA512 | b5999d2a9ce00351498b4b119d68ec2732f5d1e16f9b62e0b1c46dd89f7d0ebc46ae43e5beef71ee532daef348856ff37465f9aa46d58db57f9cd075e9d214f1 |
memory/1848-14-0x0000000000470000-0x000000000049A000-memory.dmp
memory/1848-21-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | feb4f635efb77effda1533cad40da98c |
| SHA1 | 770833c96ac7e2a26cc7faedb16ef133bc2f4139 |
| SHA256 | 3e30c692536bac0c4c68e4cda9bc53ff1630af3adfc8e6cfa761ee2b764a28b0 |
| SHA512 | af4a0dd10b1306e077e786e14d0592002cda4d80bd6f5e5c62074fb26e1ae1fb3542ac9b84873deb5208d7ab297d0b8c704d0d7b52643f1145b094f37e75d504 |
memory/1484-26-0x0000000000220000-0x000000000024A000-memory.dmp
memory/1800-33-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1484-32-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1800-35-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 00:14
Reported
2024-06-11 00:16
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2074e724af43717953b54875312e42c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2074e724af43717953b54875312e42c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2792-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 95b376049e904189a89fb8d1f3d354bb |
| SHA1 | e675b4f3f7c36ff4b0e191fb6b2408840b1d8e3f |
| SHA256 | a7cfbca6a1b0896d944c754e8272844bee7cdf7851d54f992eaee21248a086de |
| SHA512 | 802f420fca13c314a8c5e83d42b1fcd5a81438252e74090444898a9607b7d1e1f930d5820417efba59a2a400968bb0a7d7651d449fa4fd2c9ba62cd0d0be19e4 |
memory/2508-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2792-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2508-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 2425da60ec90b9149ea324c1bddb8fd0 |
| SHA1 | 9f9d5c3939ce2a3bfd1f2d1f36b0e69e882f5844 |
| SHA256 | 6d0149b2cc5a4a7ad8d5504eac6297c07f60529027523aa8a1ce62eaae51bea6 |
| SHA512 | 10584e8281eccc884b7478af86f769ae89e3d76157d65342d339a7d45df2a6de8ecd531edb318a6420f7cf0547dfe24cb17a0e39ae4ed94cbaba5eed96c2ba00 |
memory/2508-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1712-13-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a0ece74726c7a6c9c485dd3af9c3d22c |
| SHA1 | ac984ed97b54e33a363752f1ccaf355d3d67313e |
| SHA256 | fa4ae7af2832c5b996923ba9d1dee275498da8324ff590297d1179ed6161dd39 |
| SHA512 | 7106b327a4e65aee472021a4fc316d9b236b8442d89be3c00251b9b6a5a908a4d2ab066e2e93696020f4bcf518ae714af9e752e4841b44d95510cd1f61686fda |
memory/1712-17-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4996-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4996-20-0x0000000000400000-0x000000000042A000-memory.dmp