Analysis Overview

score

10^/10

SHA256

a3416ca75fd3a60529686bb5122609365a0ecd7639858969786b89acabdfdd01

Threat Level: Known bad

The file 78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 11:38

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 11:38

Reported

2024-06-13 11:41

Platform

win7-20240611-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1936 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2012	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2012 wrote to memory of 2140	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 2140	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 2140	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2012 wrote to memory of 2140	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2140 wrote to memory of 2144	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2144	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2144	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2140 wrote to memory of 2144	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a66221d31428d335bb7a9c743ce2a2a7
SHA1	fff0bbb7635d39fd5b234c249fb4f458d81a563c
SHA256	03c06ac0828a42a5cfc0f13245794dada04d5e72cdb8d78e41e36d38da7de0ef
SHA512	298ba40655bde2f31b87cf9702ee97cc3f6646ba01e2d02b4a18a4943796039915eac299666d35c597d80d4ecadccbacf24581d3e317a78a98770be07eb30a89

\Windows\SysWOW64\omsecor.exe

MD5	9dcc7cc4ac19b8850999d6fa6cb9df0f
SHA1	218ea895de8d4c2d7011f98c07e4a0d635984478
SHA256	837efd4552f7824141d7045c13ee3dc21757a4203e39eaf1811939e82106e52d
SHA512	8f5c73109c88ff6ff67af97c97cd874fd7bd0f5f427f9ff65fafaa5719c96cd9665fb547527d24a5d645f7076c60b9d012e75076bfde580695e4a030eedb82de

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	88520b508f32d07135b1847c8cf33d0a
SHA1	f60f7894c2c16dca60f8f805a371520e909fc5a5
SHA256	067aec8669825eabdacb77c4a1ae6f73869094192aacd4af03e1f9050c200949
SHA512	40145d37e0d101fb788e9beb8be7e5f35c119fafde777425929734e5cc58d72bf70f0e1959a7533035a8868404911bbcd70200bba4ab3ae8c4fe75f3d7f471df

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 11:38

Reported

2024-06-13 11:41

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1692 wrote to memory of 2836	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1692 wrote to memory of 2836	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1692 wrote to memory of 2836	N/A	C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2836 wrote to memory of 2604	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2836 wrote to memory of 2604	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2836 wrote to memory of 2604	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2604 wrote to memory of 4988	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2604 wrote to memory of 4988	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2604 wrote to memory of 4988	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3684,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=2668 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a66221d31428d335bb7a9c743ce2a2a7
SHA1	fff0bbb7635d39fd5b234c249fb4f458d81a563c
SHA256	03c06ac0828a42a5cfc0f13245794dada04d5e72cdb8d78e41e36d38da7de0ef
SHA512	298ba40655bde2f31b87cf9702ee97cc3f6646ba01e2d02b4a18a4943796039915eac299666d35c597d80d4ecadccbacf24581d3e317a78a98770be07eb30a89

C:\Windows\SysWOW64\omsecor.exe

MD5	1bb496a4b9c29cc1acdeba87363e7165
SHA1	f6632481aa182d263255591c8c76be957cd2abbc
SHA256	ceee954d79b2845d6228d00ef4f6b9e5d1d9aa387c86b1f1ef3427c2f8c94f71
SHA512	ad5f8da5e7b9af872aa8735881f38af184a877995d9d573feb61facd7695e0a82e03a37f2b217d695848ccb559da350353b3c49c896a98478462f8dd547bfdfd

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	19e55f691661a874799885d5c62a4cc3
SHA1	831aa7711d22c8d41b4150c9d302cd11a70e2a6e
SHA256	77c31b9fe4022553a75d7a83e0e2309b7ff8e1df615c7cde3dbd6f4954e9c079
SHA512	a3181df7f27adc6b3aac09480b8d46b17abc61e9dff92af4bcbe4db86fd1f184a5a74b05d2fe763c6580de0cb1e19d774b83f4a315373656e1cab21d77cd388f

Sample ID	240613-nry7ma1dnp
Target	78cb8653c099d26d539ad97a29c13380_NeikiAnalytics.exe
SHA256	a3416ca75fd3a60529686bb5122609365a0ecd7639858969786b89acabdfdd01
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:18

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files