Analysis Overview
SHA256
36bbaf6890d9ae808a92cb0ed30bed5a901903e76962e1d053a8de223f849b86
Threat Level: Known bad
The file 4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 20:25
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 20:25
Reported
2024-06-12 20:28
Platform
win7-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 95083e7a73b1bc934b98e279a453d1e4 |
| SHA1 | a7d9806231fe031876c75613b0618d2908a451b1 |
| SHA256 | dd41eb258ecfb96f7b015821513bae96de30f47e506cf6fe92d5fdc3a7903861 |
| SHA512 | e5240eb8d819460a53647b053c1befbfcad63db4875d39bad85b4cf408c59a79b80596967765f33a0a4a643ff6729b084b8494620d792ba38cc2afc09fff4870 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 8df72b14041fd2f4b0cc762c7e0e580a |
| SHA1 | a8e52ec544b4ba496555b1205def322798273343 |
| SHA256 | 46657b6234c71e89c7ac6498bb28308e2276d15d243a6991849f7ef5ba90da7c |
| SHA512 | 0161b96e492f347cc3f213f8d61c3f520364d122b9b384b2ec16638d21170f2e659d6d594e5525375db5a0bb7a323297875099fdbd049b125c737de6baae0b7c |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a7b05e9acdda014a3ca56ff49f74ccc7 |
| SHA1 | b2c26970cf97cf8cea0ec116a5f85163cbaf5c77 |
| SHA256 | e6372772021e18f621af61f19c23e3aa664a93b73255e4a569fe8270518ac8d2 |
| SHA512 | 44eda0d8bd9d4f8a058f83d7f001153e00c36fd00f9e59e982293e01112e86ece37a4656f184715f9e292b6036964ad3544816137d970767cb5546922b4ed608 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 20:25
Reported
2024-06-12 20:28
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2744 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2744 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4400 wrote to memory of 4308 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4400 wrote to memory of 4308 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4400 wrote to memory of 4308 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4195d4b37ccb623d89725f86c2429c20_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 203.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 95083e7a73b1bc934b98e279a453d1e4 |
| SHA1 | a7d9806231fe031876c75613b0618d2908a451b1 |
| SHA256 | dd41eb258ecfb96f7b015821513bae96de30f47e506cf6fe92d5fdc3a7903861 |
| SHA512 | e5240eb8d819460a53647b053c1befbfcad63db4875d39bad85b4cf408c59a79b80596967765f33a0a4a643ff6729b084b8494620d792ba38cc2afc09fff4870 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 48cf3a71e733d0b0f6ce72885a250be9 |
| SHA1 | 6756e4cf8cf2c523b6274810cca3b4f08933dc77 |
| SHA256 | 8cd04b42ca638ed5d172808cf4a6b8940b9ca7b66f657b0ea2d3a53a55400c7d |
| SHA512 | 27f8e259df29f014386a6ed94a9908d9ea15e2cc3dd7d769911921a9d9ff20934a853c2af07499e5ccc9c1ebaa232a3a050d600604f6094e35beb1088d58216e |