Analysis Overview
SHA256
f37382188460dc4858b25a4c571e4505531530e17bba830242be0913a67bf121
Threat Level: Known bad
The file 9169cc89c0863911792a955bde3e8640_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 23:54
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 23:54
Reported
2024-06-13 23:56
Platform
win7-20240221-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9169cc89c0863911792a955bde3e8640_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9169cc89c0863911792a955bde3e8640_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9169cc89c0863911792a955bde3e8640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9169cc89c0863911792a955bde3e8640_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ddbd8a42f6986fe07906daa2dd88e27 |
| SHA1 | f53e04c25952071f2927c090c6fc8f47da4a1ab0 |
| SHA256 | 4f45bdc9f972afbcbf734b8f0407fc300ddd9148563892313b394344a8950f7c |
| SHA512 | 2264d613808e54812578bc76912c955e626c6595e08286ce05c040853a4bd85e8bd2b02fb220e12d20429958998abae0d2e115aca5528b9129ed4ebd70c7aa6f |
\Windows\SysWOW64\omsecor.exe
| MD5 | d4edaa3f60d20ca1d31660eb7d8a546c |
| SHA1 | 48179bddcf63f24f880e44cb44569795b7095790 |
| SHA256 | 42ec45c447dba6e60077ab7e5e2628dc55fcdca3524f23e3fdc0810e29beb8a5 |
| SHA512 | 111174a4976375c3a0ff5aaee721ec6f8ee1fe5ec7d3b33242abbc06fc25259b519ec9962ede85283289989374426e8c996f21693f8284986ed661d3198e2430 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | b61594db50088269ce84a6d686498bec |
| SHA1 | 8ec8698fe7d3c3c8f4f4a01206d1b2d2588a0d48 |
| SHA256 | bd084f2543f732aa46f1d4c1f11f34ae1069b264f49762e6771807629c79dcc0 |
| SHA512 | a659878fb4ebfbb9af1b6cebb82c04f3d7bb49e57298bdc83886fe7d6687f8bfda47b790ed947374360a022c001c6d9208e3d668487b6173db6068f2315263fa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 23:54
Reported
2024-06-13 23:56
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9169cc89c0863911792a955bde3e8640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9169cc89c0863911792a955bde3e8640_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2ddbd8a42f6986fe07906daa2dd88e27 |
| SHA1 | f53e04c25952071f2927c090c6fc8f47da4a1ab0 |
| SHA256 | 4f45bdc9f972afbcbf734b8f0407fc300ddd9148563892313b394344a8950f7c |
| SHA512 | 2264d613808e54812578bc76912c955e626c6595e08286ce05c040853a4bd85e8bd2b02fb220e12d20429958998abae0d2e115aca5528b9129ed4ebd70c7aa6f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | e4b3bacc19ce3819fd01a1622a5ae2cf |
| SHA1 | a34f68416778bf17cf781accb99bebc5a14c25fd |
| SHA256 | 2c8f1efa0af974f457b8419f9d7d18dc2a2a6f8477d5f82d84ec587746051972 |
| SHA512 | e544f3e2060f106c90bc16fb25252892bffed4a57a3582d9d255313ea0a9974cb80bfe9a88676677539bf01577e4e360ea0a9390c1f3602015b0b8db7034e15f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 24f49a2edeb3b97743d23d2429e72838 |
| SHA1 | 64c567b52499b19a21c76e3c7a72b181675a6523 |
| SHA256 | bb22604b76c7f436b1cc0bc5b9c74c4d2c78c08b69b3cb482fb68c8b9c215153 |
| SHA512 | af1de16b34ae82a7ee3308e3cf75ff9ebf55ae64dd5960732c3b4db701217114eb504ee904f9b72f76f2bee3015a07b1ba92ee10221ba314cc6c05ac6fd56f10 |