Analysis Overview
SHA256
b3a6aabedc320d5b4d6fbe035cd3907c0acb6fa3e77848c0289a5ba2ae170424
Threat Level: Known bad
The file 21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 01:03
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 01:02
Reported
2024-06-11 01:05
Platform
win7-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/1728-1-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 082f05e2d55915b36cfcd7ebfc8e7958 |
| SHA1 | 661d27b5eddb951fe1ccb6deb9fd03cec9557157 |
| SHA256 | 58fd221d56bf15727e590875b628386d7b36bed3b68e5fe134ad7bfe6dafd416 |
| SHA512 | 68524a8e770ed09e19ea53f0795a6d9d77bbdb6e6b0e882fd39cbc8bf7653a1c57b230be8c2756c92218cd184aa071616f07b7e862d7d6946059f25a916a290b |
memory/2908-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1728-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2908-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 1e426fae7ee595fa1f401b7edb2e1072 |
| SHA1 | ccd291df366fb02916b484e00e1e84ed74439ee1 |
| SHA256 | 5a0b4ee84494c807a8cc3440744d2b791d2b5d67607afe1c7ede8ffa8aa3fbc9 |
| SHA512 | 153c6d2708f710c581ae9578da6e4a6719b4b62637020a673098962e0aad824df002a71c4860a0d0f4ce43a400834ab5089ec8f0c58b26138ec2f9fd66276031 |
memory/2908-15-0x0000000002240000-0x000000000226A000-memory.dmp
memory/2908-21-0x0000000000400000-0x000000000042A000-memory.dmp
memory/548-23-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4d47db0eadea13867b9000fdcd65b8a4 |
| SHA1 | 890a74fc481bec2489856101bef0a47168785aba |
| SHA256 | 1e1b4a3f657d4ad51dc2fed2e3fd0fc385cf04f85d301cbc888f29146c77136a |
| SHA512 | 41efb9f8fa29f3530eec9fa13739a7c37c1e48abd7c888b7460c5830d3a4e061c6a9413c00f9044df52686ef55d03f4990301fe255666c9f40d93c635fd6ca92 |
memory/1524-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/548-32-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1524-36-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 01:02
Reported
2024-06-11 01:05
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4536 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4536 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4536 wrote to memory of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4924 wrote to memory of 2184 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4924 wrote to memory of 2184 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4924 wrote to memory of 2184 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\21f7e998682746bd7453ff8de8de1540_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4536-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 082f05e2d55915b36cfcd7ebfc8e7958 |
| SHA1 | 661d27b5eddb951fe1ccb6deb9fd03cec9557157 |
| SHA256 | 58fd221d56bf15727e590875b628386d7b36bed3b68e5fe134ad7bfe6dafd416 |
| SHA512 | 68524a8e770ed09e19ea53f0795a6d9d77bbdb6e6b0e882fd39cbc8bf7653a1c57b230be8c2756c92218cd184aa071616f07b7e862d7d6946059f25a916a290b |
memory/4924-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4536-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4924-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 01784d53b36910dd7e5b0d7cc705404c |
| SHA1 | 0bed5e772671cef63dc2d58f74eb4826b81d9515 |
| SHA256 | 08c598e856b6b93f9be478bc973443966ac658092db1e8b5b1c74976ea210e4e |
| SHA512 | aaff79df0683dec496079595bd8c77306f98f9f2cc6ecbe8df94e445d6872fafda7369c11918517c3e0ca67eafb3151cf29d284816d57da54be4e82fa7d238ba |
memory/4924-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2184-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2184-14-0x0000000000400000-0x000000000042A000-memory.dmp