Analysis Overview
SHA256
225e8286e67555f3b4a076d15d22ed08810f4bd3d91216e79a38072fe16bfc76
Threat Level: Known bad
The file 2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 06:03
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 06:03
Reported
2024-06-11 06:05
Platform
win7-20240419-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7108edcbe5eae3bb64cd5bb9dd52ae80 |
| SHA1 | 4e6a734f511b09f3fe363aaf99aae6a4ea37c432 |
| SHA256 | 3b5983bf6ec8ba16dfe76258e5403324fad0a66dc4f2b8be6a6fe3d9a791e06b |
| SHA512 | 3e69709df8a5c7b8cf799dba0b4bba28eca2c0179311b80940a94546b5439f1cd4c4347c9612d09db18c357cd54209b5afddc05ee458286b1e20e94b9075273c |
\Windows\SysWOW64\omsecor.exe
| MD5 | 262a4453ea903f7830057771df32c5e3 |
| SHA1 | 4fdcded95f585e45c3316d495a4f7a76ffdd082b |
| SHA256 | e211207037ace5520f74b469f9667534981dd6a0cef0b2956e31ea0d03111a8d |
| SHA512 | 568d49741ad2b768322be40350c183d03885c7f5a266eaab716e37eb985b0ba8e6dced3529a28662d58fbe89fa7229e584554f3cd77cd4407e77039f50712ef8 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | df1a2724ef578e036cd23b06e3a383c4 |
| SHA1 | ad70f5da97e5aa2ccbc506c1d47b495eeb857a90 |
| SHA256 | d81f571f8e65f4c90e27d575580791041cfa2239e45b6af62b08160429f23c7a |
| SHA512 | 39167898326281483f574b1561bbe835387a1d0109a2f98c218153cdcb90a80d2fcb0811581b28b5c77284dce05765a34dcb3c2ed4b43bee851fc7983d3450d6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 06:03
Reported
2024-06-11 06:05
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3720 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3720 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3720 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4796 wrote to memory of 4436 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4796 wrote to memory of 4436 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4796 wrote to memory of 4436 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a3d552b5f148a614d86583ce709c8d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7108edcbe5eae3bb64cd5bb9dd52ae80 |
| SHA1 | 4e6a734f511b09f3fe363aaf99aae6a4ea37c432 |
| SHA256 | 3b5983bf6ec8ba16dfe76258e5403324fad0a66dc4f2b8be6a6fe3d9a791e06b |
| SHA512 | 3e69709df8a5c7b8cf799dba0b4bba28eca2c0179311b80940a94546b5439f1cd4c4347c9612d09db18c357cd54209b5afddc05ee458286b1e20e94b9075273c |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 91d0936a1427b99c291e5e55d360056e |
| SHA1 | d5e3b65d07476dfbceb2cbe1373a20481716c848 |
| SHA256 | ab4974069712769a0bac59f522d826a79113e642c766f077dc94cf256de00bff |
| SHA512 | 36e1a2389521c98527147845aca4a7341510022dc9d47005c4144093f661eb8b52bc7ffc0a31fdca80ca309d5d9f65f1056c7eeafa64f614a33eb0c9a254e6b0 |