Analysis Overview

score

10^/10

SHA256

77e8de73179e23d68f37458330bce50876c9eba806a320d30440945079cc8340

Threat Level: Known bad

The file 3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:32

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:32

Reported

2024-06-12 13:34

Platform

win7-20240221-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2044 wrote to memory of 2956	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2044 wrote to memory of 2956	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2044 wrote to memory of 2956	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2044 wrote to memory of 2956	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2956 wrote to memory of 1584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2956 wrote to memory of 1584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2956 wrote to memory of 1584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2956 wrote to memory of 1584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1584 wrote to memory of 1552	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1584 wrote to memory of 1552	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1584 wrote to memory of 1552	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1584 wrote to memory of 1552	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	363c125450d3a8847caed89fd174ed33
SHA1	86f3f128a8d86714bc836aa2143645213774fd76
SHA256	38d39d9e5c7d387708062eaac17fd87f94ee2cbbd6a78e3306257cefb32a33e9
SHA512	c6ad296a601352c562f2e53ff2a62074a3514565a846dac6d866aed8c29f0718b145db9ce99c3969fffbe26e07ea9511f5a92c63f3be383e7604c66d7a0b2329

\Windows\SysWOW64\omsecor.exe

MD5	89371e873909c08eca356228897a25bb
SHA1	efa72751bb51fae500139ab3708268a536e241ee
SHA256	94c25c3303229e0cdbc086e7df7466efbc3afb18658397049e81b1d4924da07e
SHA512	8fc462989b2cc6b47c1990d12438037179bba3a9e029442d25b60f516e05184cfa321130a1284075ebd0e3fc19052a41f53d2b959df0255bc0968d9f78ac6052

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	61105a7a3c7db9d756bee63aa8244eb6
SHA1	32ae58f11c52ac17ec018ee96be198c9700e7657
SHA256	a27450089db0802bb018a498fdf38c11bf412d292b47943e84b71272eefb8bb2
SHA512	984b8f1ed275d86635eb8cc4efffee4be94c100b0699943cbb5ea4485f4e7da9f82637e6c17b153356580765608a8e853b50e07f996a772d39f9bc73890d10ee

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:32

Reported

2024-06-12 13:34

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 5064 wrote to memory of 1056	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5064 wrote to memory of 1056	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5064 wrote to memory of 1056	N/A	C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1056 wrote to memory of 968	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1056 wrote to memory of 968	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1056 wrote to memory of 968	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 968 wrote to memory of 4240	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 968 wrote to memory of 4240	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 968 wrote to memory of 4240	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.56:443	www.bing.com	tcp
US	8.8.8.8:53	23.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	56.61.62.23.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	81.144.22.2.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	363c125450d3a8847caed89fd174ed33
SHA1	86f3f128a8d86714bc836aa2143645213774fd76
SHA256	38d39d9e5c7d387708062eaac17fd87f94ee2cbbd6a78e3306257cefb32a33e9
SHA512	c6ad296a601352c562f2e53ff2a62074a3514565a846dac6d866aed8c29f0718b145db9ce99c3969fffbe26e07ea9511f5a92c63f3be383e7604c66d7a0b2329

C:\Windows\SysWOW64\omsecor.exe

MD5	af36308fb99b2148606e96c25d879e37
SHA1	41efaf8c23216451bae3dd1df19bd8f58781fd04
SHA256	0bbb3b4687e98b325e6f71da1e0a210c0a63769d5f25b35d5141b5f7d4c05fff
SHA512	354967d817bdfe0de856ea907690d73ada5d7f28bf6d7ce731c17704745c9fb3883174dc513113bddd661b9590f5fffac759f76b86273fd824ba7e838f6a7982

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	637c7a7a17cadf124dd8cf280186ce3b
SHA1	615b6a7111ffc93fa2a61eba62d9f72c49c24f4a
SHA256	b2cd991cd45960e70e11b98d65d0a83c8938136ba6995b65c18d63f4a2641202
SHA512	2096e5e354408fcf7a1e2fa3c76c0e43fff531c38488eaafce37a6d6777b8dc2a9fa5fe3f071c84e42097c0dddcb769fef36221bccde85aac0b841694714d5ee

Sample ID	240612-qs46dawgrd
Target	3e7576eb7bc8d8affa77c12963b1a8e0_NeikiAnalytics.exe
SHA256	77e8de73179e23d68f37458330bce50876c9eba806a320d30440945079cc8340
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files