Malware Analysis Report

2024-09-11 08:32

Sample ID 240612-bkl79sxdml
Target 13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe
SHA256 96eb589050cf8cff49eb534bde8a7c876e125f5c8a8c44b1ca30ba8f70489314
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96eb589050cf8cff49eb534bde8a7c876e125f5c8a8c44b1ca30ba8f70489314

Threat Level: Known bad

The file 13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd

Neconyd family

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:12

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:12

Reported

2024-06-12 01:14

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3736 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3736 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4636 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4636 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4636 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4132 wrote to memory of 4632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4132 wrote to memory of 4632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4132 wrote to memory of 4632 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

memory/3736-0-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 58f19535b0387ead1b90822d9ca88b4c
SHA1 006ffc4078210505eae4cffa878fbee605979c26
SHA256 d0d4589e0e06679266280fab075147fd69004f1d58fad0964f6c530a990b371b
SHA512 2f8ef9f6fc45ec4ac50432a5627418d85b55bd16253d04d9483814f448d2ad23b827745d34353d1c9b7eccfaaf6e35735b0a5991951535629fc8b921f3512890

memory/3736-6-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4636-7-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4636-8-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4636-10-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4636-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4636-13-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 afd0b657995f95d5c722e69e1f5c88a9
SHA1 bd9c1735cc0cfd6f5e8a51300683abdb2ba2fd5c
SHA256 f1fd325648a7429e8e54514fb36942957ad47d53cc141ff1f76b25218addebc1
SHA512 0cbb33bd8d19c1c2b24278ff71551a86c47eabc0f0d7a6ae14eb9a538ed99b11a5fe650675aa086bed9f5f51f747716af0cd3e1b30eafd9c07dd1997d950ce12

memory/4636-19-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4132-21-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c286f53a02e7c5f34e454f27d9ef7886
SHA1 eaaa88351aa55857d2cc442d20678b6be074954b
SHA256 48fc50f968e2d566fa7b753eb12ea981d3b1f9ebfd1edc964b4fad0f8485cbdb
SHA512 c636e478caf939540860868e918d74441b48b0eec8c0a842a5b28b5749067879fe06475f421b7cf205dc0d68ed21aff297c5c2d1a3753c345b7b2bc1d31e7015

memory/4632-25-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4632-27-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4632-29-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4632-31-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4632-33-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:12

Reported

2024-06-12 01:14

Platform

win7-20231129-en

Max time kernel

149s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2820 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2820 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2820 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2316 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2316 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2316 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2316 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 816 wrote to memory of 960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 816 wrote to memory of 960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 816 wrote to memory of 960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 816 wrote to memory of 960 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\13ed5277a13f0aaf167ee1627dc2f730_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

memory/2820-1-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 58f19535b0387ead1b90822d9ca88b4c
SHA1 006ffc4078210505eae4cffa878fbee605979c26
SHA256 d0d4589e0e06679266280fab075147fd69004f1d58fad0964f6c530a990b371b
SHA512 2f8ef9f6fc45ec4ac50432a5627418d85b55bd16253d04d9483814f448d2ad23b827745d34353d1c9b7eccfaaf6e35735b0a5991951535629fc8b921f3512890

memory/2820-4-0x0000000000220000-0x000000000024C000-memory.dmp

memory/2316-12-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2316-15-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2316-18-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2316-21-0x0000000000400000-0x000000000042C000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 b35a0c207cbea360782e929bc3570215
SHA1 c45d52bf8918f6452591236b15a230c799eea35c
SHA256 3c995465c1c23167902af7fe69885c3b222032cd35e5777f29fd163e85cce409
SHA512 0e068452732425c19f64eda993cec8252f71c395d2c41595364fb3e2cebe6d54992ddd90321f9a83a79dda6e87b35d70bef515a6eb7773689a86560a3a106e26

memory/2316-24-0x0000000000280000-0x00000000002AC000-memory.dmp

memory/2316-31-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 aa9730c39a9c56de90fe32a455a653af
SHA1 deef569761b029b5493451b188e3acdd592d136f
SHA256 31c4a876c37d996c3918d79c1dd562a80ee88683523fd6b61ab50b286f970347
SHA512 ae3b74b0d0362b7e15e067059c948a855323ce56a3bcaab3375ff746492d143c433de5e8c981fc8f54be78b3b6945d71d1f2dc9bb9406556e66bf7fd45c23677

memory/816-42-0x0000000000400000-0x000000000042C000-memory.dmp

memory/960-44-0x0000000000400000-0x000000000042C000-memory.dmp

memory/960-46-0x0000000000400000-0x000000000042C000-memory.dmp

memory/960-49-0x0000000000400000-0x000000000042C000-memory.dmp