Analysis Overview

score

10^/10

SHA256

660007632d63f2437f4c0d82a519f09c6fd788e72665203a2316adf86c9920db

Threat Level: Known bad

The file 4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:58

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:58

Reported

2024-06-13 00:01

Platform

win7-20240221-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1996 wrote to memory of 2152	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1996 wrote to memory of 2152	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1996 wrote to memory of 2152	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1996 wrote to memory of 2152	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2152 wrote to memory of 2996	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2152 wrote to memory of 2996	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2152 wrote to memory of 2996	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2152 wrote to memory of 2996	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2996 wrote to memory of 1660	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 1660	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 1660	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 1660	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	00e7823976c8b8036bc56af77a70d583
SHA1	06b4730175b5b02a22d06efb986676775745c543
SHA256	094dde71867b3e83cf1dcf0741df898de8a20288746d32ad75181c711c748800
SHA512	6eaef8ae072e7981a590fe792100b117790747eeb01ee2f7f189c325ba631fc132892e8ac04d46f51127aacb438eecda2d5a834dbdf545314cc8f21785434faa

\Windows\SysWOW64\omsecor.exe

MD5	2e92e0fc5852df7449b0ef5c81b4d44c
SHA1	077a58a6d5cdeaf5ec595744832f02e644b7ee83
SHA256	a770aa01bfa63117da6a01d5ab6eea73905e3751d776ba399983928288fbe84c
SHA512	65ee87624d8679cd62e4bac23d9b08313c186dd0bbd64bd7c83a67e772a807ac2948f050a9a978c21f94a167f71a4a143ff1c17147efa55e6f96efeaf288c463

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	763768a163de5be4f2de9023cbe87909
SHA1	e772245e79a604dfde3a756c56a8018e496dd4b4
SHA256	5c09587acd10f46d291d3c7905c32a1e3a9f91278977d07cd6d2e50269ff40b2
SHA512	61fc60bb97a13463edb89c173b0c9cd8f3d7247b9dddbaf56764683f14c0e42c0fb8967e7941d0727d5b2e1012104d5fa72950173c5f9203898dd3117085c733

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:58

Reported

2024-06-13 00:01

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4400 wrote to memory of 1840	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4400 wrote to memory of 1840	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4400 wrote to memory of 1840	N/A	C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1840 wrote to memory of 748	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1840 wrote to memory of 748	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1840 wrote to memory of 748	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 748 wrote to memory of 2744	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 748 wrote to memory of 2744	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 748 wrote to memory of 2744	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	00e7823976c8b8036bc56af77a70d583
SHA1	06b4730175b5b02a22d06efb986676775745c543
SHA256	094dde71867b3e83cf1dcf0741df898de8a20288746d32ad75181c711c748800
SHA512	6eaef8ae072e7981a590fe792100b117790747eeb01ee2f7f189c325ba631fc132892e8ac04d46f51127aacb438eecda2d5a834dbdf545314cc8f21785434faa

C:\Windows\SysWOW64\omsecor.exe

MD5	a37d698f57bee0a8c9b84ad8546b517f
SHA1	6122b8a300cda3283601f4b1adee809a4215f84a
SHA256	442ef0b89ce047f3658bddea4d2410775dc4f61480dccbfb5e5f9dd91ee8acf9
SHA512	d3626569262d2435f06d193996da8bdafdb0edeb5676562e046294c433ba387c2ba6fbb59535bb16610d89ca28e16c82c904b73d59a1c1d96178caba93896a5b

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	0a5d67f8b4bddcc55138f8c52b9cd5ba
SHA1	5a0f76ad50b945995d41d70a75413c8a7b74235a
SHA256	b7d3b879dcb597ca0610db474ff7a823f94b75f92cfbb3ef03a0ea903d76c72c
SHA512	4fd870d03ae3d0f388c3c3fc07c021fc21e6f1006096a56be7235e64b9ac82bf682358e79f9f8ba219ce8f648f4dbbaea8af99b9506a9dc8ba2450151de21e44

Sample ID	240612-31ftzawdme
Target	4e6d682e859f6cdb99bb55c3f5048cf0_NeikiAnalytics.exe
SHA256	660007632d63f2437f4c0d82a519f09c6fd788e72665203a2316adf86c9920db
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:40

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files