Analysis Overview
SHA256
351c5eb9eab6fa984c2545dc7a0ae6fb171d8cd9646149b957c611e87b5566b6
Threat Level: Known bad
The file 2bda67ea9ddb311e428b1a6590905d00_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 07:05
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 07:05
Reported
2024-06-11 07:07
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda67ea9ddb311e428b1a6590905d00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2bda67ea9ddb311e428b1a6590905d00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bda67ea9ddb311e428b1a6590905d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2bda67ea9ddb311e428b1a6590905d00_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2840-1-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4e7af6c295752300fa4d7298c20de2a2 |
| SHA1 | 165fc7a634ac27192955b5c4c93af2f5fddc37f8 |
| SHA256 | 8d87906359af3cbcddc1d9bff207cf7a981da16d75ecb263b9ee994770e6ada5 |
| SHA512 | b53d86e2e66a1a4d2e9f78226d63d8373a75449847039c016af40eb743d0895bfe691cbd4c27f4d784db529151264cb58a9caa79f28f9e76c02103b2ab7d66b8 |
memory/2480-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2480-11-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | caa3927c7deb355016c2c1743e93bb2d |
| SHA1 | 4a6d2cbb2a086d001c2e84eede370339e153f100 |
| SHA256 | 13712edd344157c27cc5989829bc94003da1ec0495150929899b0ee90df2551c |
| SHA512 | 700caa2900468ed85a206424cd196ab784c4fd47c44b5e2ab748017863c05167b9655401b5b18f02f6a0e777e7fc36adcaa9490d88e367bda035524210bced36 |
memory/2480-14-0x0000000000310000-0x000000000033B000-memory.dmp
memory/2480-20-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 94d6c7008da857d8fc8cff87fb7acc3f |
| SHA1 | ab4ee65ab774b3cfbe9c2b4aae7f2fa20b587803 |
| SHA256 | f765d28a16acae8495620218077f4d6f7b27cdc0b14a46675aede97c84b4a57e |
| SHA512 | 4576c01e62a4e998c7b6d73c72be6679f38a6ba0081a3aa63946afed348b3d43d1fbfe803361285a60e8f273732c172e01aec8036e518bd053260c253b360832 |
memory/1660-26-0x0000000000220000-0x000000000024B000-memory.dmp
memory/1712-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1660-31-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1712-35-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 07:05
Reported
2024-06-11 07:07
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
142s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2bda67ea9ddb311e428b1a6590905d00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2bda67ea9ddb311e428b1a6590905d00_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4544-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 4e7af6c295752300fa4d7298c20de2a2 |
| SHA1 | 165fc7a634ac27192955b5c4c93af2f5fddc37f8 |
| SHA256 | 8d87906359af3cbcddc1d9bff207cf7a981da16d75ecb263b9ee994770e6ada5 |
| SHA512 | b53d86e2e66a1a4d2e9f78226d63d8373a75449847039c016af40eb743d0895bfe691cbd4c27f4d784db529151264cb58a9caa79f28f9e76c02103b2ab7d66b8 |
memory/4544-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4620-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4620-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 3eebd0143255ba4354096ecbb7737a62 |
| SHA1 | a077df2fde7ce914bb1ef25e2487538227743de5 |
| SHA256 | 5bd63bea8e0495f15a55da450c28069889717e9d0c2c2c44d2bed0b47d576004 |
| SHA512 | b2b4d2aba25218702be836c95d56a420808aefff81c1a1ab181ded5d3ae93906dc65482dbcd9dfade245f2912bb634978f00b5b2fe34aab499d3a5f31e049a69 |
memory/4620-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/544-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/544-17-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 33e6660b9d917419633ede7db7105b0a |
| SHA1 | 382db9f11018aea0a0d4a37255e384ec7b679e12 |
| SHA256 | edf9d52a69bf09114ec856b1ca89b53952422fe20a74561e21079e460121a317 |
| SHA512 | d5228b226bc7515a4945941ff3c1ab10757eeccfacc08bbce94089f0609eb7fbd2c04dbc0e502ee6cecdfbb6b68822ed16a5a88da036ba2bb33777a4f3dab0cd |
memory/4164-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4164-20-0x0000000000400000-0x000000000042B000-memory.dmp