Analysis Overview
SHA256
14db2f98ba2e8fa2aea8b32c5682dbf1ececc12a3f9fa1a4ddbe3f524438846e
Threat Level: Known bad
The file 679c458d50639a6029d8b2ea1fa7af50_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 07:02
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 07:02
Reported
2024-06-13 07:04
Platform
win7-20240220-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\679c458d50639a6029d8b2ea1fa7af50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\679c458d50639a6029d8b2ea1fa7af50_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\679c458d50639a6029d8b2ea1fa7af50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\679c458d50639a6029d8b2ea1fa7af50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f6dff79a1fbfb6891f59f8df34fa57ad |
| SHA1 | 36deaedda330cc609661e84f67125733333b8376 |
| SHA256 | e1e1073d5f4aa66add2869cf2fb368a415ea784ae5273dae70e80ae9f375a4fc |
| SHA512 | 2e4600b774b0f65b6c4f511bb0513c42f15454980ee5012836d6ea99ccdb33317363a217f68f94791d7db55c3f127b117ccf1d363bc7215ac49725635361b3b7 |
\Windows\SysWOW64\omsecor.exe
| MD5 | 60ca5c26a4e54e0e7184770f282af6d5 |
| SHA1 | 16f03ee9b5818f7bdbfacd156e2e0699b4593bc1 |
| SHA256 | 4de65f398d4c05c0107661b579374c38a81f1e9e044688b92f1ca90d5f1b0b91 |
| SHA512 | c944d34eab7e93e7aecbeff9e8f1ce72c2b4a7bd26461537adefe8eeb775df0f419263223fe9698b2b1549dae48b8396a3cbbcf45fbe6c502a574f346f01bacb |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0c99489f6a081db888485fbbcb65e5a5 |
| SHA1 | f8791bb5f92e0c47292736b099d5270548f7b7c0 |
| SHA256 | dacf5f0debcf35eda0feca6c83a27d85d3cf83f723c1bf3a586c7872d2b0bf79 |
| SHA512 | c4ed82c3731a0517a80297a25587a55d4a8a263271af78a4bee3198c20dc2a2fdab5f7f4e3f08e7b7307bb3085b3887ca82005f8090d3fef4cc40b1f67d7101b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 07:02
Reported
2024-06-13 07:04
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
152s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\679c458d50639a6029d8b2ea1fa7af50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\679c458d50639a6029d8b2ea1fa7af50_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4104,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f6dff79a1fbfb6891f59f8df34fa57ad |
| SHA1 | 36deaedda330cc609661e84f67125733333b8376 |
| SHA256 | e1e1073d5f4aa66add2869cf2fb368a415ea784ae5273dae70e80ae9f375a4fc |
| SHA512 | 2e4600b774b0f65b6c4f511bb0513c42f15454980ee5012836d6ea99ccdb33317363a217f68f94791d7db55c3f127b117ccf1d363bc7215ac49725635361b3b7 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 31f5ab2533d924ddd6a281d358b5db69 |
| SHA1 | 0f5c678415087434df41d70cfc87115883a1679b |
| SHA256 | 7ab15b8f78bfe9e7188cfa4b5178d3b4671b845add5d8f324d7ff4811f7ae8ab |
| SHA512 | bbed0cfd88108fa9d1f1b6968c4c4ee639fcb341054d4bbd6adc74bd7e2cee78a1225904f67b3eddaf57361b7146875b60231173612251ff8d32927f6c38c653 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5b71df33d5e86c04de3051e96f8a2f39 |
| SHA1 | f313b32ceb6332b1cc353f70e3df67f4bba06662 |
| SHA256 | 8796d347bf9ce56e951d337b26772ae64c568051056e93709e7810ad1f2846a1 |
| SHA512 | 418e094891ed40c1470bc6df338446134b40c886bb87772d2eca0b4e6dca87777a6ce6270a72aa0e873f6cd6adac63685d946f52075aaea2a23f7e90298264d4 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | c6076413cfbe6a8163289a3abc8115a0 |
| SHA1 | 71886f6483825125f024cad09c6272056aec3a89 |
| SHA256 | c3674c444e029c8282736109d224dac06ff7ea0273c822830f240d5540ac8a1a |
| SHA512 | a28271749fd1714e2a4f30487b8f3ecf66145904ef8e9f29611ae921a92bad6d8b597500ee675c5888f62f5941d69a214b8f8561de45da0741f63792063ee7d1 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bd716fcba02eac3d6b69a1dcb23b9d43 |
| SHA1 | 637e6c6c8cf98032cf600ee603c7bdeddab16971 |
| SHA256 | 98c02faa4a13cab584c4cfbdb5d8172f8fa48560e35ddff4d21af9cc029606c1 |
| SHA512 | 72a57531e638cf5ae623c5d98cacb72729aa0dafcacdbbca8b6ef7c503c2bbc4a2f52c18d31c8432ebeae9379cd08e39276075090a6a5993cdeaac56840e3f33 |