Malware Analysis Report

2024-09-11 08:32

Sample ID 240612-mwat6avgqq
Target 343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe
SHA256 82bce5b89afb72677bd1f4b37119a40ecd47bf519c8fa25fa51a7c6d3edc836a
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82bce5b89afb72677bd1f4b37119a40ecd47bf519c8fa25fa51a7c6d3edc836a

Threat Level: Known bad

The file 343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 10:48

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 10:48

Reported

2024-06-12 10:50

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5036 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5036 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5036 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2476 wrote to memory of 1052 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2476 wrote to memory of 1052 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2476 wrote to memory of 1052 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 db5680860dbe1290bb693ce40bef0916
SHA1 ea695ceb8294f7689381e3f2bf0277a76eb848ec
SHA256 58d4883d8c48c61674cd01012d2c05a8260743873ed7832daa1df3de88b85de0
SHA512 64f2896304dd1e44bc8e2403d9e754ebb8de40fafdedd8eaa82baf4affc570a7f2d9e63a03c6e85a02df6888542bef31bd46dba54c7e7315d686135b980f0f00

C:\Windows\SysWOW64\omsecor.exe

MD5 4b208b923fcbc0ee22db2a4245d3d80e
SHA1 f88d4293e57324a799018a5a4dcf026245d0db6d
SHA256 63b762e1e0225964717101bd291ca45ab167bcfe705d1d16c452e609cdac75c5
SHA512 0447ade73951de7fffcff4eb5796b54ddf1e7ce38cb4da729f1245befd72da704e6e587da27c8c5eab014a13dc8616f812de49490587452614ff60844c9ae6e8

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 cfb1df92b3e5ec60955cad649d26fe1a
SHA1 055913825d3759b2fc58e83f53ac0cc22e1a2f2a
SHA256 fd846cb797693e7c700568927c0c24706055a0f068d3c0b6f8f6a39fc6627c14
SHA512 5aee32c38c7b055e7e300cb6b60a632dc1f438841b0cc860fdeaa5adb6f0870f2d1e9cc91f90a7c857ae949e44a3d2f47ea95174b72012071378444ca39ad6e6

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 10:48

Reported

2024-06-12 10:50

Platform

win7-20240220-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2356 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2356 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2356 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1204 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1204 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1204 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1204 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2624 wrote to memory of 2828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2624 wrote to memory of 2828 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\343c4bce0c8539550afc65184b24f2e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 db5680860dbe1290bb693ce40bef0916
SHA1 ea695ceb8294f7689381e3f2bf0277a76eb848ec
SHA256 58d4883d8c48c61674cd01012d2c05a8260743873ed7832daa1df3de88b85de0
SHA512 64f2896304dd1e44bc8e2403d9e754ebb8de40fafdedd8eaa82baf4affc570a7f2d9e63a03c6e85a02df6888542bef31bd46dba54c7e7315d686135b980f0f00

\Windows\SysWOW64\omsecor.exe

MD5 60cbf581998e2b5608c93c210ad4c554
SHA1 7eb2447bdd4a55952f7097183b64d90c352365b2
SHA256 59da21dc0eea2d6b3198500f4d4058dc3d448e91a0072dcd0f08ac186e25efa6
SHA512 9ba9821a13fb1b02c0439a39f6f4ff3a46a353c44f6d68fd47f1ffc1d560f7ca1cf72403b20f2e9f7d7a9764d0291b5f384080c8f03b26f37852f852edda3d76

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b0bcd0b2d9f808b739de88feae1f7cf6
SHA1 073f3da91049e21f51cf99b91d2a958b3b105c3f
SHA256 e0edc732dce5302febf3428c66f50d1a0e25815a4d93c6226c0b48c5c88c0835
SHA512 49e5133560a245bc9d5e75bccb24f3e5b5b731415206fc3b6c3f05efd4065add0ff8eea5cd16787b8d7472c47e8ae7498154542611b7cd9c73f38d0b30668226