Analysis Overview
SHA256
c56893dab8c6c77f9fcc77fac2d6a853ac948157e27a86cd4bb0424064dd4f73
Threat Level: Known bad
The file 00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 20:36
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 20:36
Reported
2024-06-11 20:39
Platform
win7-20240221-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1809084415f31c0105b44317bb13c769 |
| SHA1 | d88fa9d10b326f11d1f530ff2dbaeb96681c99f5 |
| SHA256 | 640ce83f382b071bba5605f27f370454c553adbcc9ef883f016d94447a018ad3 |
| SHA512 | f321560d784685da65860d5836c6ba12ed8bf2f299b02c9e08fa1aa9b2079065217b675680a777cdce6aefaeef757d11be3bc06a190837172da1eb671cec0d78 |
\Windows\SysWOW64\omsecor.exe
| MD5 | c9e35fb1895d48bf9c9c2db8efe7e16b |
| SHA1 | 9ef9b9ff4854203393f405a00d08f7076b16d441 |
| SHA256 | cf330aaa1b0ea90155c6c0bb951c48931021cea31b17f7b62cd4011e91740aa0 |
| SHA512 | 4f47a5594958fd7a7ec92e31954cef57a15f264fe0bcd0b09a184cafcf09f57df5a93f106b392d9555a44a81dd9b84360f2137dd2e2fc6f48072e80dac04a8f1 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b467673da234c1fba4bbdfc57c65192f |
| SHA1 | ddbf160b455beeb6953ac39c9c6afffb0c9479c4 |
| SHA256 | e132059f6a07a4ec1eb479f74d674425799c2e0dfad842c90f0101cc1cd41cea |
| SHA512 | 9da7e2e931f94c6de64b68dd87fcc9de7ae0d1d197793eca74d5d84f6ff5ffb053beb541a325ea94f442d573d3d96069c73c327d74172c9cca553bc91e04920c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 20:36
Reported
2024-06-11 20:39
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2008 wrote to memory of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2008 wrote to memory of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5080 wrote to memory of 1016 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 5080 wrote to memory of 1016 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 5080 wrote to memory of 1016 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00cfbf340e6ded1bd866b575effcc8e0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1809084415f31c0105b44317bb13c769 |
| SHA1 | d88fa9d10b326f11d1f530ff2dbaeb96681c99f5 |
| SHA256 | 640ce83f382b071bba5605f27f370454c553adbcc9ef883f016d94447a018ad3 |
| SHA512 | f321560d784685da65860d5836c6ba12ed8bf2f299b02c9e08fa1aa9b2079065217b675680a777cdce6aefaeef757d11be3bc06a190837172da1eb671cec0d78 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 1e0ed8bf3a123e4c11256919ea72d07d |
| SHA1 | a83faab8f369f55310f1cbfcfc3339c96f96308d |
| SHA256 | 958f896bff022e919ccc21c5f8f9760bf17a3ecc6eeba196ce5b42851651ad23 |
| SHA512 | db532936d3cf26c3e0e8782f5f75db588f0fd4300a645f4d12f727da8a8c0c36550d0bf844955a9be4257a16feba93e1a9f3390404220ce4283bd187dc0f874c |