Analysis Overview
SHA256
7a05035787a02e63edbe788c31926d4e1524d4fc813b1a0d400a6823244590c8
Threat Level: Known bad
The file 2637fe0f62eeda9ad2baa450c23f5e40_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 03:34
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 03:34
Reported
2024-06-11 03:36
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2637fe0f62eeda9ad2baa450c23f5e40_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2637fe0f62eeda9ad2baa450c23f5e40_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2637fe0f62eeda9ad2baa450c23f5e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2637fe0f62eeda9ad2baa450c23f5e40_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8f8523b567ce64fe8e15fedf32c129a9 |
| SHA1 | bfd279a0f1c7da00d8b3976ea8991d0213aef458 |
| SHA256 | 1f45f501512f1e5c172e6b17f45deb493a4fb3b6c68a8e5a9d4f0e1084fa7d8e |
| SHA512 | 7000bed0002ed9f1fa4a354d9c0f9cf96508b1786042bc72782272b1e73908927e9b78f334728226ac1efb926ec1dee5dd697b32dcbc0c6acfdf8597d0d72525 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 9c551c5854f9e2581759d5c2a065a505 |
| SHA1 | 74343014656bbefa3c19831847b377c07bcd77dc |
| SHA256 | 7e4d3eefc25025dfcc82576dea0790c7a2a657df86f00927ca926899f798d066 |
| SHA512 | 553f3a489a49f760ca8eb4f6e1c33ef35bcb10954d7a9b96b5cece046def65cdb0af07565f9d5eaa7afe92003cd45848dc0c0a78b88458dccebd08c91b5fdf0b |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4863af66c88d73b268c7edfb9558fb37 |
| SHA1 | 00f332cb2d235ddfc6e2b210135c742ac304c4b1 |
| SHA256 | 77c8e133a2965b959a09c3f5e27ae7227c6b2b922e7f11f0d7425f1b9ea18737 |
| SHA512 | 01c6a20755d2a9ec8c7e9a54469617523048dfad07a265d88ee1f646cf4c26f3e99fd3dfc05feecf6b14aea9f4a6aca799beb895f49abb2b85d161aabf5ce057 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 03:34
Reported
2024-06-11 03:36
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2637fe0f62eeda9ad2baa450c23f5e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2637fe0f62eeda9ad2baa450c23f5e40_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8f8523b567ce64fe8e15fedf32c129a9 |
| SHA1 | bfd279a0f1c7da00d8b3976ea8991d0213aef458 |
| SHA256 | 1f45f501512f1e5c172e6b17f45deb493a4fb3b6c68a8e5a9d4f0e1084fa7d8e |
| SHA512 | 7000bed0002ed9f1fa4a354d9c0f9cf96508b1786042bc72782272b1e73908927e9b78f334728226ac1efb926ec1dee5dd697b32dcbc0c6acfdf8597d0d72525 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d9f17a05c6d34e32a2d38ec39a88b87d |
| SHA1 | 553795d46b0b049ee3ed7331ab9d8e4b0f62b522 |
| SHA256 | 455366dc71d30551c67f26c9649347f23d6b60d7bf8a87e2ef390ec0fa77ed5c |
| SHA512 | 00cc8f257a28d054a51f4f48fb3db5168148b2b89b4fc68592d37c95a0a0749e3b26b2df08fc65a2f2c6029638b1c1d59ca90de25c3830c6136d2c5f823c2b17 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7d66876d5e851cae7ad4780bcba86a9d |
| SHA1 | a55ac448f12208d038dc821c4dffcd1378032d05 |
| SHA256 | 3f63f0b61c0c94c79b50e5ea437983a020bb5f4e3f01c3bd6376d4ee3d61b4c0 |
| SHA512 | a6da1ed3e6ab542d06c0c6c5fcaab2de56ad5009607db79a55079d86cca51f2aace32e659bb813e8a4bb947c0d205156f7c467b50dd6e9d79827839704d4688d |