Malware Analysis Report

2024-09-11 08:31

Sample ID 240612-ptcl3svekc
Target 3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe
SHA256 11470693ddbbf50634978dc57496dac7d939a4d045282af19ab80d4831ee4db0
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11470693ddbbf50634978dc57496dac7d939a4d045282af19ab80d4831ee4db0

Threat Level: Known bad

The file 3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 12:36

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 12:36

Reported

2024-06-12 12:39

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3316 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3316 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 928 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 928 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 928 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4496 wrote to memory of 4248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4496 wrote to memory of 4248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4496 wrote to memory of 4248 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 37a106f80d7d5d8d1559b5572853f313
SHA1 251947b338d2cdd4bf0e8a07049334ec0eaefef3
SHA256 8088374e56cb49cbf9612f46b68590dcb618ce34df0e20ae19b2ed229db21b11
SHA512 2c5dba0d157bd6a50e2c0cb8413cc37969fcbf0a49ecb8ce218b10d63217583adebdc3cece9d0f551591bcb25f28056dd7d8421c24beaf71c4ecea780f04258d

C:\Windows\SysWOW64\omsecor.exe

MD5 88905468a9e896d04a504489ec3e7e84
SHA1 a0451853173bcc3bec123a47325c0ff0a215f3d6
SHA256 ea5b2c9782048c29e696573645f69f615b86e2791fbc0179d6d5479b7ccaab47
SHA512 805f822028ffa6f7cd976f07e8b20986803cbddde4d5b78128ceba244d8e6e2dffebcc035e0f4f4064672d008d1bd007719de08b61f22cfd01e30a5dcc950c2c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 eea3f7013b22734123131eccec59cfbc
SHA1 0be3a0739a7e388e40fb3b97dc97f4c976235f5c
SHA256 18b79c9cfa49ea11cc0c8ce4a2055b82b1db3cf1a34ea324bb60acac22cf936e
SHA512 ed17583ef4ef08eff269139125313b1ee02bde0806b153dc65e706540686b5d63dd65cda738f0857c5d338f71585dcd6e9c0d2d34583129734fd50540c803d15

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 12:36

Reported

2024-06-12 12:39

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1960 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1960 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1960 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1848 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1848 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1848 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1848 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1412 wrote to memory of 1868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1412 wrote to memory of 1868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1412 wrote to memory of 1868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1412 wrote to memory of 1868 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3af50c375a79419f8ebb05e8a5ca1b30_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 37a106f80d7d5d8d1559b5572853f313
SHA1 251947b338d2cdd4bf0e8a07049334ec0eaefef3
SHA256 8088374e56cb49cbf9612f46b68590dcb618ce34df0e20ae19b2ed229db21b11
SHA512 2c5dba0d157bd6a50e2c0cb8413cc37969fcbf0a49ecb8ce218b10d63217583adebdc3cece9d0f551591bcb25f28056dd7d8421c24beaf71c4ecea780f04258d

\Windows\SysWOW64\omsecor.exe

MD5 fef91f48c479f6af819644fd9bfe8a51
SHA1 c2db2e25812cd0d61112adcbafd5c252080f7843
SHA256 9e0d11658737b67fdf7c1a7f77af54c9b78f9c8ffd57968f093276ac49cd2a1e
SHA512 f1810dcaf3d47d811995c4437b7280eb42e66ceb0a07fced4734455d938fdeff3897eea2935b9bca7a301b2471ed10b49bd56d7e6d0f24afe98edf4248ae0fe0

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1ec51013d67058311ff149df87d01072
SHA1 5da358f34b740c1b2ce703ec8dd128a7da70cfe9
SHA256 fd461a5d634cb64698534ca572a726ddc4befc2111584dd7abb1680607e31dde
SHA512 866cd3818d3e6ee64c16d868d75f4311b74818a5bc48e216d33c91a4e9934f0d2cae9c3e624dfe5ba9b4701cab56a8659db371acb8220c413176ff6759f2294d