Analysis Overview
SHA256
c03a27d14b7427e39f0a44b1d7d8bf34b4ffdb3f2048b9c3eaae3fa670746fa7
Threat Level: Known bad
The file 78a94d289eb780931d957b1d07862770_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-13 11:36
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 11:36
Reported
2024-06-13 11:39
Platform
win7-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78a94d289eb780931d957b1d07862770_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78a94d289eb780931d957b1d07862770_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\78a94d289eb780931d957b1d07862770_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78a94d289eb780931d957b1d07862770_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2264-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cca5685e7bdb984671b017385c0dbb24 |
| SHA1 | 1f1ce18106fcbf3836e68d7ddb19646b01a4f083 |
| SHA256 | cc03c775ab8a5d14609dff4774158456db58fc3a0c61f5922a043e7fc23dbf3b |
| SHA512 | cdf37643fc9ee06c9b9dcb1e367f375176f6163aef712d7b797d4258482ee8ecf3b43048d70f14e0ff6182b74cfff63b3649a9c30615a58a729afcd9fcc735b2 |
memory/2976-10-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2264-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2976-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 0ecc16da5c440a25fee72e38015d2eea |
| SHA1 | acd4450bf6a8cfcdd68d76e0cfd4e5d01aa045f9 |
| SHA256 | 524b491cc94b92003ac959a4665c8ea0cd0d64cf8fa0c6a0b72fe5affb8f078a |
| SHA512 | 856cac329e153b9e93d925477ee025bda726785e4f84cbab2e58b99f9a65af05aec45358fc405bbcde89835ff9ade7f57b2e552d9a5cdeb821a5adeac8130a16 |
memory/2976-15-0x00000000002C0000-0x00000000002EB000-memory.dmp
memory/2976-21-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 58d493d102e104a0f9b649484e235442 |
| SHA1 | 52478ed7601a8c4ab60202516ef723bebca34835 |
| SHA256 | f470498f21f0aa2038b2d2a8e68245024ceda92cc2fd69322be3516705257f91 |
| SHA512 | 6c34b1d16675776bc2d29e483481ad03c25fa285166132b9a02d15131d6fded258f499c825360516d48cb0e8bfbed95d652ff2897ca4fe6b7ad31def3bf78449 |
memory/1752-31-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1228-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1228-35-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 11:36
Reported
2024-06-13 11:39
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\78a94d289eb780931d957b1d07862770_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78a94d289eb780931d957b1d07862770_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4480-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | cca5685e7bdb984671b017385c0dbb24 |
| SHA1 | 1f1ce18106fcbf3836e68d7ddb19646b01a4f083 |
| SHA256 | cc03c775ab8a5d14609dff4774158456db58fc3a0c61f5922a043e7fc23dbf3b |
| SHA512 | cdf37643fc9ee06c9b9dcb1e367f375176f6163aef712d7b797d4258482ee8ecf3b43048d70f14e0ff6182b74cfff63b3649a9c30615a58a729afcd9fcc735b2 |
memory/756-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4480-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/756-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 9f15b4fe8d09fd7bfdd56ad90d2dd9d7 |
| SHA1 | 3ba04fb9fbd7c4a72b170ec5742ce105920489a0 |
| SHA256 | 4449f8edf438eecb367011af455cda8ba1461cc457502a2a7005798092b610aa |
| SHA512 | bda3b4705a2f4047fc101e4044e2ac0b590ba5428e27fe11c9d5e5353e15929550211b3e58e51605355a787c49609efd9fbb6cb149b002a40bd6ea32f285dc04 |
memory/756-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1916-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1916-17-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 22afd1ae05011b16cd2040c6ccc17344 |
| SHA1 | e42732e776dbe37fb772e8294a6b22362041c2a6 |
| SHA256 | 8ec46c56b3061be62fd099eb006ff7885a8b16196b8297d47f19cfc750462f58 |
| SHA512 | cab4223037b4ecb1c67ed725e18b2c2aabf3868d5b58982d8a2c5ee94e91a2c4a0bc2e77e014b52f9eb2643b179efd0ce6b21f2249d5142f0d27cf4af582e97b |
memory/3492-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3492-20-0x0000000000400000-0x000000000042B000-memory.dmp