Analysis Overview
SHA256
0c28664b1811fdc772381a52256a198ee86fd4d0d38683098aac7600b14ceb26
Threat Level: Known bad
The file 158bfdd88905d9d4efa5aea8888dcdb0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 01:40
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 01:40
Reported
2024-06-12 01:43
Platform
win10v2004-20240611-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\158bfdd88905d9d4efa5aea8888dcdb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\158bfdd88905d9d4efa5aea8888dcdb0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
Files
memory/4940-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6be5b2c20bf63a1297c23bc23eb6be44 |
| SHA1 | 3670bc929954f56f85973f18e2bc44ee34f0311b |
| SHA256 | 18080ac88cfe4c848010302ac67a567db2c56bf6279befe60b01c485661b433e |
| SHA512 | 33b5ccdc0bab4e2094f441a76a45b2e3bdceeea7605db8304926d8450143657e814f02f44234a8ac4bba25a410aec52659b0f6d652722886e14b1fcfcf8fde5f |
memory/4940-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4548-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4548-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 268cb2c16db2055809d9858b12513738 |
| SHA1 | 92d3254b3658069764bcec918f8a9d33b44cac45 |
| SHA256 | 700cc61c93d2688c81a473660316fe076f2cb05316c4be122b8b25a85daf4e7d |
| SHA512 | 48115f58b1b9b1c0989e02e16b0dee0d2f64eba8a26d25802d2f1a46909d9ee1de73515d4d09ed1cc4d0ce389df2fa4352264249f429c4a49704c6a60dac33db |
memory/2620-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4548-11-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e9a134a89c4a2b61c105b89f9a7895d6 |
| SHA1 | 45dd8ddd3fa83f8cc8e214fb25880a654a954477 |
| SHA256 | b3cd16d6ee43a54044a499e6da66b95c763443ad715808c4fe804e1ebbc10e0c |
| SHA512 | c878fa0bc03ccab87fa82db038383f056933ca9df2a9798b1bb89677469e92c29eb987bf25c5a580c68d488d481d231511774665f0f3f25769f3a98c0f02b638 |
memory/2620-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4112-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4112-20-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 01:40
Reported
2024-06-12 01:43
Platform
win7-20240419-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\158bfdd88905d9d4efa5aea8888dcdb0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\158bfdd88905d9d4efa5aea8888dcdb0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\158bfdd88905d9d4efa5aea8888dcdb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\158bfdd88905d9d4efa5aea8888dcdb0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2940-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6be5b2c20bf63a1297c23bc23eb6be44 |
| SHA1 | 3670bc929954f56f85973f18e2bc44ee34f0311b |
| SHA256 | 18080ac88cfe4c848010302ac67a567db2c56bf6279befe60b01c485661b433e |
| SHA512 | 33b5ccdc0bab4e2094f441a76a45b2e3bdceeea7605db8304926d8450143657e814f02f44234a8ac4bba25a410aec52659b0f6d652722886e14b1fcfcf8fde5f |
memory/2940-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2628-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2628-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 84d3f48bf2811f02fb42a5dd1329b19e |
| SHA1 | 55645d6c21c91145aaafd70f7f4cdae3ea1b8359 |
| SHA256 | 4a1d14aabe09563b7b52bbb8e82285d8ac9284ec8a1a4472d856ec4b27a71f65 |
| SHA512 | 0dda0dd0eedcaf46bbecd1d8788a5f4fc12ab7a2de8ca88c2e05cd6e72c6565b52a0b541dade8c8780c42d65c5397be9a78491d0e1de087ba54345db6e31cc64 |
memory/2628-15-0x0000000000360000-0x000000000038B000-memory.dmp
memory/2628-21-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1596-23-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f453f5b0166fb751000ec168878a1a8b |
| SHA1 | fc385801f4ce0943b7ab24f63c42668f7eeb7d9e |
| SHA256 | a5c112cc63244900dc1fe5961dc0ccdbd67151af325ffd0a4560db5886025acf |
| SHA512 | 2dae207d282bcf01c118e5a7ae05959dbe76b23e7c14a7985c347048045165784c449de9d4207f4b73f7cfc814a8fd2adecb7162833e529a30e2854a190b3730 |
memory/1596-32-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1792-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1792-36-0x0000000000400000-0x000000000042B000-memory.dmp