Analysis Overview

score

10^/10

SHA256

09331c49524df52091575d2261593741ba12e982a161cf8c339fd934227a6f0d

Threat Level: Known bad

The file 29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 05:53

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 05:53

Reported

2024-06-11 05:56

Platform

win7-20240221-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1968 wrote to memory of 1772	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 1772	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 1772	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1968 wrote to memory of 1772	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1772 wrote to memory of 2396	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1772 wrote to memory of 2396	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1772 wrote to memory of 2396	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1772 wrote to memory of 2396	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2396 wrote to memory of 3016	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2396 wrote to memory of 3016	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2396 wrote to memory of 3016	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2396 wrote to memory of 3016	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	23bf85599e03f1a6b0370103e8e46300
SHA1	28aa2e3b3e33f75ca560242803e85988703d15d5
SHA256	3db2eaff8db64555bd4188dd353cfaa0e96e49a3b6181773e652fd4192ca210f
SHA512	83527d72b36703597106215071595e5cda7d0cd62d6012cd7b04f4c696d69accebfb367e179e7ffacc1a11b1096aa663f60eb0d3b7be4247b37659f6001f3fbf

\Windows\SysWOW64\omsecor.exe

MD5	3f61fb31147d576922e1babf4f895c3e
SHA1	6064cd837b2a8a6b9ca64afc294a1636629ff194
SHA256	2dc5b37ccfcdc2df3fb0e9f94f0d885a202c069f8d9361fbbfe8740a23662c51
SHA512	c30c852130128c13152bb514df26481b0e12ece7773d394b1c0902ef25005e04121ab45284b352c687ea7d4249532060c9b414496a5a837f9a5d295ec83e4c55

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d2f9553df69ae3acb530de3ed4a7f639
SHA1	46d22a52d2bfa39feeddf6ea582ac0deaf1a2144
SHA256	fa108b9fe766e534ead7c36ceb95e6b076e31309fd4191bce58bb91e05531716
SHA512	19e5b1d577596d52710f092cb0c3d6b74143bff1a45882d14c3b29a75ed6c7d8b87d1ac836e010d9c54f1c4074678009b17a3d039b8f6872fdcc08e35d4d6be5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 05:53

Reported

2024-06-11 05:56

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4876 wrote to memory of 3592	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4876 wrote to memory of 3592	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4876 wrote to memory of 3592	N/A	C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3592 wrote to memory of 4492	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3592 wrote to memory of 4492	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3592 wrote to memory of 4492	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4492 wrote to memory of 4752	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4492 wrote to memory of 4752	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4492 wrote to memory of 4752	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4240,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	23bf85599e03f1a6b0370103e8e46300
SHA1	28aa2e3b3e33f75ca560242803e85988703d15d5
SHA256	3db2eaff8db64555bd4188dd353cfaa0e96e49a3b6181773e652fd4192ca210f
SHA512	83527d72b36703597106215071595e5cda7d0cd62d6012cd7b04f4c696d69accebfb367e179e7ffacc1a11b1096aa663f60eb0d3b7be4247b37659f6001f3fbf

C:\Windows\SysWOW64\omsecor.exe

MD5	4a944e6d74ea3cac1da7acb0fff0db0e
SHA1	cb15f56e264b85701aa165159ee36d5f23953c49
SHA256	a2ef449d62fcf6729e8d363ed57b4f9cb14b7b25ce48b1cf050a30e79128e185
SHA512	3f12084f0aab0106bbdf83a57cabb53c2ec9f80abe1c5816d11e407cbbd5176a57705db734d30f5b6157f168292324d9d901394e8572b16079096d5f7cf9ac5a

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	8e5e36784f7f53093c3a828b2fb44f58
SHA1	980ca176113a48c1b96400f14f5005d7b62fc206
SHA256	8a29db8fe92202d401df7aa5bb57e91b7165755e007214a835758711fe712d56
SHA512	9b58fc92d422e9d15f986e0f5ba531fc18572b3bb019a0de3d5b3918f4d1901f67b190c044c8390984b68bb4cec7cdfac84f5347223c6fbea7ba2af64dabd671

Sample ID	240611-glknqaxdpq
Target	29fb57786f48da2a62b047b5890a6110_NeikiAnalytics.exe
SHA256	09331c49524df52091575d2261593741ba12e982a161cf8c339fd934227a6f0d
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:39

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files