Analysis Overview
SHA256
b3396751ea0ed78d9d5f25bbc83bb18048205ba278de899aa5c088a05a8a55a1
Threat Level: Known bad
The file 176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 02:17
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 02:17
Reported
2024-06-12 02:20
Platform
win7-20240221-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2452-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0304e0e472ef28a3c76732d468598a74 |
| SHA1 | e62125f43e78356298cb1e8ee30de857d5a23d0a |
| SHA256 | 8096d346fc979ef8d7b80893f6d843977d64e40dcf09eb476316f31e645d5bf1 |
| SHA512 | 530830985d5ba610077827ae4656e8ebf6625e9cd4d96b85de295c19a941f79f319cf277f8f908118a3c76fb4ef801b46881160ee7fc0e33781aca1a49c699fb |
memory/2724-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2452-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2724-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 7cfa3b3dba97e8ebe57d564174e68da2 |
| SHA1 | fa7947c8f59e744340d6872d8c81c5ef0c492c1c |
| SHA256 | 786ff8d90c35e5769e501f0bfb25ec764d4ca3210d80efa93b6fcf03669511c9 |
| SHA512 | 3a1f0a6b0bbcbca8cb7ed88bf8985f06e3b871e0bc32a7040aceb4fd49cf845f99abe92f30ba0206a8a9edf539353c7f6e6fdabc1b4b3048f9536d27f61328fb |
memory/2724-17-0x0000000001F90000-0x0000000001FBA000-memory.dmp
memory/2724-23-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2564-27-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ffaeba5c586fc0831a9513eca141e6ad |
| SHA1 | 799a77bd871f9de442a26f8cd3b3dcab46ef13bf |
| SHA256 | 238ef2ca70121b48e844996b06ee7b13ea21b939e968cbafe7001eb8fa0e6d2a |
| SHA512 | 15a8bf163863a7af8e727492bf75912d33a77ce470c69ce8c714a83cc75bf40aecb309aeb05ba31d1c04566c44a12fc1fcd92c9ed2b9cb44abb0ced0c1b63f7d |
memory/2016-35-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2016-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 02:17
Reported
2024-06-12 02:20
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2888 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2888 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2888 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4664 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4664 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4664 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\176ce5b7ec559eea364846093f9273c0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2888-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0304e0e472ef28a3c76732d468598a74 |
| SHA1 | e62125f43e78356298cb1e8ee30de857d5a23d0a |
| SHA256 | 8096d346fc979ef8d7b80893f6d843977d64e40dcf09eb476316f31e645d5bf1 |
| SHA512 | 530830985d5ba610077827ae4656e8ebf6625e9cd4d96b85de295c19a941f79f319cf277f8f908118a3c76fb4ef801b46881160ee7fc0e33781aca1a49c699fb |
memory/2888-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4664-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4664-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 81174790f1db56ca2382866655eba0f9 |
| SHA1 | a36e6073ea9d13304fbb26b2e16aff820259b1e5 |
| SHA256 | 670007da6eb4c6b18094acf69de076823fa9a822bc9c36c0897933c1532b4120 |
| SHA512 | 88b0cde3a098a3b599ac9b50810a3186b752840a366b1fe828c239dae4277699f6314055937a21a083c9d98bb07d8ba3a8ebbccede77091b7e9dca80d37cc996 |
memory/4664-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2580-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2580-14-0x0000000000400000-0x000000000042A000-memory.dmp