Analysis Overview

score

10^/10

SHA256

412faec17f8bd1f8716f553d47dd0e57ac637a07913a9469a712a41b0a2cd7ab

Threat Level: Known bad

The file 62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:40

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:40

Reported

2024-06-13 05:43

Platform

win7-20240611-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2996 wrote to memory of 2052	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 2052	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 2052	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2996 wrote to memory of 2052	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2052 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2052 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2564 wrote to memory of 1156	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1156	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1156	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2564 wrote to memory of 1156	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	9b0de88dac50ebc4421a96b3aa4532e8
SHA1	947be40622de628ee0ad81c72cbdc2d3990739dd
SHA256	9e4b3be6ea085b7ada2349b3051e40534bf74a03d20e00d69e86005bdc15c3c2
SHA512	22695b2a89f2359071d2d3dcda21f7d6c3a00d1d6b0e6932f686ff9753d5fbbb27ca4b880e31904d5fbbebc5b370f61e6a310728baabb1e39c7298d3c3ec0634

\Windows\SysWOW64\omsecor.exe

MD5	25865244a84a6877a679c73bb962684c
SHA1	21d6a8b3b6d3f924b95e7d28e1adf0fd0f454c82
SHA256	794bafc681b2224ff00c352e16af6bcb6f2196d44ec03450f24e6cc01b2da736
SHA512	184dd3ae61b8e0225e6527e6fd24b743c9ac9a783522a861799ccdc4ff87ff067a8a10a9b721040370a13e269c88e49b32bd6780f06641ff0804872352d5c2a3

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	b050d4a7273df4dafd1bb8b046580b16
SHA1	54a1611393895d5110dcbc39433f4047b466d0a1
SHA256	f6704f1a54bf6271b91316bb4a7aa0f7e19b7be66538498a2d77208e8a47a24a
SHA512	1edf665b2fa3491e7848a15f7d4b73096dd64f7d2a8acc600cad8543241e717c4bfa0996f88fb57caee1fa74013d30b1840d18ee48cd396bb98e6bdd572a66d4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 05:40

Reported

2024-06-13 05:43

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3788 wrote to memory of 3492	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3788 wrote to memory of 3492	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3788 wrote to memory of 3492	N/A	C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3492 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3492 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3492 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3564 wrote to memory of 1152	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3564 wrote to memory of 1152	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3564 wrote to memory of 1152	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	23.53.113.159:80		tcp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	9b0de88dac50ebc4421a96b3aa4532e8
SHA1	947be40622de628ee0ad81c72cbdc2d3990739dd
SHA256	9e4b3be6ea085b7ada2349b3051e40534bf74a03d20e00d69e86005bdc15c3c2
SHA512	22695b2a89f2359071d2d3dcda21f7d6c3a00d1d6b0e6932f686ff9753d5fbbb27ca4b880e31904d5fbbebc5b370f61e6a310728baabb1e39c7298d3c3ec0634

C:\Windows\SysWOW64\omsecor.exe

MD5	2744523770b8ac231ba6bb59cb12e41e
SHA1	0e3c321d28974ad9b8aca9952efa84cfeda62801
SHA256	e01209beb30c3513f4b3d47dba884bfa433d3dada852832d42fa61e0ee542a5f
SHA512	b3f21721498585f23e0a28cebc18d87afad6bc09fd79732da8ff3471bf2b2ceaf2e8f5e31f31f991912d66ec52a80ef1b563ebbbcbccf864a0fa81faf00eabb0

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	e60ec92e5905567176eae003142fa383
SHA1	737d525da6c3c8ac9d5ce3f0ceafd6d893c080f3
SHA256	3ada23a039a124e1bd2b0083d84aa3931f7e2d8c306bc3781b9ce918e7fa2168
SHA512	08bd09a979667b8b67ee6f9ee34f5b44bce129d34c3c99ce2e24e0f581a22a1119d9c6383ac5141bbb7c47a3f98756f7e93ed6ea8a91c6d9e1eccdb810e22b5a

Sample ID	240613-gc73nazdqr
Target	62d2dcf1066bbe36cadbc60225523430_NeikiAnalytics.exe
SHA256	412faec17f8bd1f8716f553d47dd0e57ac637a07913a9469a712a41b0a2cd7ab
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:40

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files