Analysis Overview
SHA256
71b059c85c6ca363b0720162a49a77d1f2d9e58a30fd58551c62729877b0f988
Threat Level: Known bad
The file 3f35eb050a7be8185e05a4ed06fc67d0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 13:45
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 13:45
Reported
2024-06-12 13:48
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f35eb050a7be8185e05a4ed06fc67d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f35eb050a7be8185e05a4ed06fc67d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 37532387eece4d7ffcc745d6af670938 |
| SHA1 | d0a9332797abb3b9c4adde3f1092fcc8a10be1fc |
| SHA256 | 85ba3691656e16b13d72b38042b68ffb9df83fa17aa1ce6a29959c280a5a65fd |
| SHA512 | f891ba3c89f4d3118888d2d09f0c645c68411ad35a5636d389b982d48fb39797bd2a9d8b1303e94f1e3ab8d788e78e6919b206ce9e4996dc5d3b5a063ac535b6 |
memory/1144-2-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3640-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3640-6-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 6ef36566fd5321372279346dabb8fc34 |
| SHA1 | 8a428300207094de62f9db2c897565bd9eac3aa0 |
| SHA256 | bb6e6bfc44c70dff6bd9fdbc150f5b3b09dab5318ab3293b05f94eb52473279f |
| SHA512 | ef62de5fa74d1bd467182b873277ea5d902feb5a828c869df5c825ffb53ebb743c82e058e0ad2f2c59f569ac18b13ae44e70acde8783544c8abf822be908b9d2 |
memory/3640-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2396-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ea922f11cb74d2d628ca4e31826e1246 |
| SHA1 | bb4f8a5c610ca22ef4fc7f4fe21a868d31aca383 |
| SHA256 | 943366e30ad28b6f15d4673345cf68cde95569610946d0511752619027b5f65b |
| SHA512 | 9116cea30ba78206b7c8879d99adf0a5f6397426d4cd9918b2438696e0ae9b518af7f8dd713fa50946a6c680f589a11f8d18235b24cd4b83942fde1f26f42e14 |
memory/2396-15-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3376-17-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3376-19-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 13:45
Reported
2024-06-12 13:48
Platform
win7-20240419-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f35eb050a7be8185e05a4ed06fc67d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f35eb050a7be8185e05a4ed06fc67d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f35eb050a7be8185e05a4ed06fc67d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f35eb050a7be8185e05a4ed06fc67d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2236-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2236-4-0x0000000000220000-0x000000000024B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 37532387eece4d7ffcc745d6af670938 |
| SHA1 | d0a9332797abb3b9c4adde3f1092fcc8a10be1fc |
| SHA256 | 85ba3691656e16b13d72b38042b68ffb9df83fa17aa1ce6a29959c280a5a65fd |
| SHA512 | f891ba3c89f4d3118888d2d09f0c645c68411ad35a5636d389b982d48fb39797bd2a9d8b1303e94f1e3ab8d788e78e6919b206ce9e4996dc5d3b5a063ac535b6 |
memory/2236-9-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2108-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 6ce77c1eccc8bcdf9674342c182982c1 |
| SHA1 | 87fee8f3c197695c3400a2140d28fe91e53f2ea9 |
| SHA256 | 6242db74dd28d38d8184c0823d74bee39e084fa6cf0623f72d020b31e236baee |
| SHA512 | 688feecddd0c28d1d4d55e81e3cccd3c3b2ad1155b384f37eae2c1b1d1c06efbec387cf47dfcc5b15b2fc26dc74076b9a8cae22f7d97af912e876c7adbbaecda |
memory/2108-15-0x0000000002350000-0x000000000237B000-memory.dmp
memory/2108-21-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cc4fde7cbab4dd994a0e94272c4d7b2d |
| SHA1 | 3c7fb0bd21cef865c91e5ced5a1818fcbdd72bbf |
| SHA256 | bd9ae339bddd2f022d52cf6fd4e7556b1b5cb63bd0353d0ef4ceb9ffa5e76597 |
| SHA512 | 824dacb98b946f5247371581aabcdb47c418042cacf3a931c70abf527d5d4160eb733489709f305a1af08354a19cfdc3cf1e7b71e59e281987402c06705c7721 |
memory/1644-31-0x0000000000400000-0x000000000042B000-memory.dmp
memory/348-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/348-35-0x0000000000400000-0x000000000042B000-memory.dmp