Analysis Overview
SHA256
966635d1733f7ec88dafbcf6ce3578a3709328d51919f8142d99f65755a80317
Threat Level: Known bad
The file 3afac0156c8dde7e1bf9685824591da0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 12:37
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 12:37
Reported
2024-06-12 12:39
Platform
win7-20240419-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3afac0156c8dde7e1bf9685824591da0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3afac0156c8dde7e1bf9685824591da0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3afac0156c8dde7e1bf9685824591da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3afac0156c8dde7e1bf9685824591da0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2424-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 971b87c7d2dc2326d3a7a7b4158f0cc3 |
| SHA1 | 8f83815e97ad2557a50052e62b6d652a24aeaea1 |
| SHA256 | 67c534c79247a168b2b3d2deaac85d4ee5e2ee100f6a451c898ffd1ddd76dbae |
| SHA512 | 03b38589e46581362c78f6c70776c3176cad84d4f4abf616c5080f2c29349f1bc516aadaf0110eff34fa0e172a6ef719c7ceedb0055c496e88cb5bd940501a12 |
memory/2424-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2060-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2060-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | cf1d48ff9793ea5b08303198509e1c7e |
| SHA1 | a9e773375317a72f862f680186f45788ac8cefdf |
| SHA256 | 586e507c925c698050d6e2d528cc344c2c1e700e7d1270f0a73bd3b5ebebccc4 |
| SHA512 | 741902c3407bbe14586a8a3fe29bc676398419a2c16f93114f598143a5350af57cb90489cad91d56931c8c29279f3b4f3244c58cb1c4af580a7cf9322269e8ea |
memory/2060-15-0x0000000001FE0000-0x000000000200B000-memory.dmp
memory/2060-21-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1884-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1612-32-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 421a672855d8621d5332dfc99b595789 |
| SHA1 | e55bdbdee0acf03c0b55326b7f86f293d13f5194 |
| SHA256 | 7d174c8395819b10f8e9c5008e79758523b7dd7003941a6ad8fa0948ca92c281 |
| SHA512 | 21ca46d4f1f3c2ed633a4f4be104a808447767d8747820fb62612a1d2b8fb3b78991048b5ef32afb1e06df1ea3cfd273a7e3e7abeb36e8f3e8548f23f1131b3f |
memory/1884-35-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 12:37
Reported
2024-06-12 12:39
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3afac0156c8dde7e1bf9685824591da0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3afac0156c8dde7e1bf9685824591da0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4508-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 971b87c7d2dc2326d3a7a7b4158f0cc3 |
| SHA1 | 8f83815e97ad2557a50052e62b6d652a24aeaea1 |
| SHA256 | 67c534c79247a168b2b3d2deaac85d4ee5e2ee100f6a451c898ffd1ddd76dbae |
| SHA512 | 03b38589e46581362c78f6c70776c3176cad84d4f4abf616c5080f2c29349f1bc516aadaf0110eff34fa0e172a6ef719c7ceedb0055c496e88cb5bd940501a12 |
memory/4508-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3632-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3632-7-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3632-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | b222613bf8461d71f71ea52c9f0beaf4 |
| SHA1 | 1c5d300be4d9106457b0c1021b1b54fe07b683eb |
| SHA256 | f6db0bb6ed38ef1bc54349d856f114b97f92284b18e27cdb9290ac4b9c251660 |
| SHA512 | d6d33f9d7e496943825bb728a9a4bd5020c6a97d3070c5b4e92025f12342c99063ef1694582e02d2eaeb3f6ac3dd904e010c43188f03102cab00c71f925d0178 |
memory/936-13-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f5982c351103e84247b882a71716f905 |
| SHA1 | 7bf96c43b1c90601d3fca3572bfde07bcc6fd41d |
| SHA256 | 8405b08f977cde2d2c28b22f581d1f22fc7b463388a046fe88c8a8d263fc1493 |
| SHA512 | d7876d38c939223181abdaa4b3946cbd1185a01995c2e388bb702fdb0bc5333fe7e9a0b12c310589cb8b8f4dc538e7cebc0e18793a550feff0b7e657d365cf0c |
memory/936-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3096-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3096-20-0x0000000000400000-0x000000000042B000-memory.dmp