Analysis Overview
SHA256
c892cb91d3bef865797c796c0870b17efa909dbf31ce44b44be02442e32e5332
Threat Level: Known bad
The file 4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 00:25
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 00:25
Reported
2024-06-13 00:28
Platform
win7-20240220-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c6dead0eabefde8864e43c1dec7b7c2b |
| SHA1 | d80b9c4aaa947a363050ca7c68f023e30d654daf |
| SHA256 | ab785be0301fd92d7d7b2b7dbdb2c9b63ed2018fe0ebbe4b9c90b90a6ef8e02e |
| SHA512 | ef1ddf76ca998a9c52345f0d6b739835b584c296f116a8d05ddde2345f1f7ac6769e32927d131fb8f15df5e113640962299ceab1e79d9a544c9c60aac7d44f86 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 12230832e2f81fc7488b309cecc5dedc |
| SHA1 | 6dbd9fb470c91c693be742009694519ce36f0dbe |
| SHA256 | 15b5ebfc0aba3801ea55080c61e7ab1e9bccd51a96eafec48c8e7f4405617210 |
| SHA512 | 42310cc2451dfcaaae2fb5c621542c0cb3d32ccae8be61d2769296a2f57e2d9f394b0ea58d1828243e8498bd5f3cb4c24c202843ca1a7669749c5dec46372e11 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 507a74968c674d8388996e0b490015da |
| SHA1 | c665a4bb5b87b997e59ee8378e33ca4590123e6e |
| SHA256 | 859e3bc2b9a6b0bccc5a694d40ca258d869c9cbe8db09222e6a1395562bc3128 |
| SHA512 | 16aecdca7af80a32fdf9bf2865b20aead08be0a28893179df592ccb3d55cb2c9f75503e5026bcaa02079d85c2d13eab128e0cfc0655874dcb67ed44f5749d335 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 00:25
Reported
2024-06-13 00:28
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1572 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1572 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1572 wrote to memory of 4736 | N/A | C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4736 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4736 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4736 wrote to memory of 4428 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4fea67bda32ad9e0eb2646a04ac0e210_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4020 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c6dead0eabefde8864e43c1dec7b7c2b |
| SHA1 | d80b9c4aaa947a363050ca7c68f023e30d654daf |
| SHA256 | ab785be0301fd92d7d7b2b7dbdb2c9b63ed2018fe0ebbe4b9c90b90a6ef8e02e |
| SHA512 | ef1ddf76ca998a9c52345f0d6b739835b584c296f116a8d05ddde2345f1f7ac6769e32927d131fb8f15df5e113640962299ceab1e79d9a544c9c60aac7d44f86 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d7c95a91e61d098b4f5c4fb17db19619 |
| SHA1 | 6d9faf040377b58b49d61140dcd10c0ffb17f143 |
| SHA256 | 8a965dbf70be7378aa5a6df97ef4bcf8966ba9195977091a1b63dc0643236942 |
| SHA512 | f399af718fbb3267aab59ed45115fa0410a7ff14850e7488a1b4dea1b3b5ae7e71b3fd64c1b7660c9a828e16be4c6bfec05cb2e067cf45a59cbc451715911ba0 |