Analysis Overview
SHA256
b6246d4921e0ad94fce036593e16cc6c367f4d70abd1b6b395d2f992de3c03d6
Threat Level: Known bad
The file 3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 11:51
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 11:51
Reported
2024-06-12 11:53
Platform
win7-20240419-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d8de4b2d2dcd377d800c0e899fa4471c |
| SHA1 | 1e50803e4b1476e2a3797092b2a4cf7a12712806 |
| SHA256 | 287cac6f12afd45cd39e627a77b0bbd9cd4036d8f60319bffb198e2f22f202c7 |
| SHA512 | 7c2b4ffe31009405afe2d45ae79d1c35f61ccaa62c7648cbdb4c56d40b7a6598c0e03448922e8a18d97528d83e9b50f175eee0eec554e7a26eb9ee2f113524cb |
\Windows\SysWOW64\omsecor.exe
| MD5 | 7b9925e681383b6295a0c58b8899b316 |
| SHA1 | b703dc457c198bd44f9fb59ab39aa3c68d4176bd |
| SHA256 | 8897d9ba7f427584d2b47ac7642c5d744eb8a8670cb8f283cb077d1a88e4501b |
| SHA512 | a649cc3cb9147dc3742477f16a1bf7840cde0bea24414516fe192ad2fda810fdd07a0dd18b3e89344388d9e39b2c70500267e5e163053b000d7af02f012033b2 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f22236cc6e1601dcc6627d73e56d7bf7 |
| SHA1 | e8f43799c269f137f53c236eeb5c8fe4c881611e |
| SHA256 | 2394aa4e7efb579bc564fa58735b9c6c37ed4f7de8cff534bc134b1c648a1858 |
| SHA512 | 98403d691ab36b1f4daeb8fbb842b7dcaf01329c41b5955249b2c9c654f558620541f152a8a3c955cd34a5bf9a89f57fcbcd8b3cec4cd7245464b56691e479a7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 11:51
Reported
2024-06-12 11:53
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5068 wrote to memory of 100 | N/A | C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5068 wrote to memory of 100 | N/A | C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 5068 wrote to memory of 100 | N/A | C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 100 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 100 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 100 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3823ef3251b1aeb26497799646986580_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d8de4b2d2dcd377d800c0e899fa4471c |
| SHA1 | 1e50803e4b1476e2a3797092b2a4cf7a12712806 |
| SHA256 | 287cac6f12afd45cd39e627a77b0bbd9cd4036d8f60319bffb198e2f22f202c7 |
| SHA512 | 7c2b4ffe31009405afe2d45ae79d1c35f61ccaa62c7648cbdb4c56d40b7a6598c0e03448922e8a18d97528d83e9b50f175eee0eec554e7a26eb9ee2f113524cb |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | abbca509fcce4f1518020e3d578dbb11 |
| SHA1 | 4d773ce058c3ef44924a44cefe79fc836e86a63d |
| SHA256 | 0b62a86e21d6c93d90f7bac171b11ee9a8e9ab5b880af53bc99705d2b5c63e39 |
| SHA512 | dd0cfb73e6dcec8805ea54e633c40abe295e5c9bd9022b248c1bc8e02a8b48fa55fc211d37ee3ef1012cc3ca9166fe831bf525f2b6b99602b357501868f93c9e |