Analysis Overview
SHA256
fad5ebcbbc7f5160e85eae071c96b0293f139d67cfdc1b10d4d77f61cecca00b
Threat Level: Known bad
The file 9532feb81af7e853ff0e1fcd78492160_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 00:55
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 00:55
Reported
2024-06-14 00:57
Platform
win7-20240611-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9532feb81af7e853ff0e1fcd78492160_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9532feb81af7e853ff0e1fcd78492160_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9532feb81af7e853ff0e1fcd78492160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9532feb81af7e853ff0e1fcd78492160_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2436-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 131db9186e0f838010e6b910d9398920 |
| SHA1 | ea07a9a1b1065ebd284a352c3b193b0b4126e736 |
| SHA256 | 3dfba1b149ee23ab80c7174396e7ef66f0854552b7b92f3d9be4cc5cf5b3b306 |
| SHA512 | cfd93388f483fe2984729eb91fe9a4f0658acffce59e1bb6c5a3243d7e70ea4f1c0cadae6046f42583e91f79a5aaa7ccce1900c22d880d0d5e658974a7908166 |
memory/1888-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2436-9-0x00000000001B0000-0x00000000001DD000-memory.dmp
memory/2436-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1888-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1888-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1888-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1888-23-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 6ebce7930be0a04d6d93286ccde46b88 |
| SHA1 | a3d6a2f8b09a0867010be060cbd626bedc9c3045 |
| SHA256 | 6b47032c9b3d76ac6ac683ccd14490ee8ec5a72c7e5c8d75d4da1ca9b7c0ba55 |
| SHA512 | b294891c2fc5e9279a6ecdeb59c9288b3ecf0082cdca5c4ce2deb5aaae8c6de1dba4a462281003b215722c13f77e9938dc106effc8adcffd49795e6ae4dcf004 |
memory/1888-26-0x00000000002C0000-0x00000000002ED000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6d5ae776054d9aa581a1a45466765eda |
| SHA1 | 1e2c41b82836306d049c27c09b30755e8e0438f5 |
| SHA256 | 7ea8ec0f699fc2dcd047ed4c1bc8bedd54323a45d6e74268c12c78ce1c06e3fd |
| SHA512 | 5a7ce4ec8d1e9912fff78c2b3b1f9da273fbc484aa175205752721ef9eb0d3577e386bb4a0ebd5b913d0a01d206acfa9bafea4cdf3b89856581185c6cf110e00 |
memory/1888-33-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2548-45-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2548-44-0x0000000000220000-0x000000000024D000-memory.dmp
memory/2864-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2864-49-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2864-52-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 00:55
Reported
2024-06-14 00:57
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9532feb81af7e853ff0e1fcd78492160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9532feb81af7e853ff0e1fcd78492160_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 6.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/2740-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 131db9186e0f838010e6b910d9398920 |
| SHA1 | ea07a9a1b1065ebd284a352c3b193b0b4126e736 |
| SHA256 | 3dfba1b149ee23ab80c7174396e7ef66f0854552b7b92f3d9be4cc5cf5b3b306 |
| SHA512 | cfd93388f483fe2984729eb91fe9a4f0658acffce59e1bb6c5a3243d7e70ea4f1c0cadae6046f42583e91f79a5aaa7ccce1900c22d880d0d5e658974a7908166 |
memory/2740-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4708-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4708-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4708-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4708-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4708-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 8b97215b114a1e27c53a6ab23f262455 |
| SHA1 | 7da8175322a51efa0111999cbafce1d0f1233adf |
| SHA256 | b6e59e7620fd5fcc4bf03d11a0c1adf97900d1bf571af3e8781690f10ac680e8 |
| SHA512 | 8fdefd62b446f8780e9ce6f1430c6da33360d59fdd5ccb7316f362dcdb88f2217329cbcb48990ee4ed4a4de39e78689d51fbf96d1295199bd7d9f81767f0e30d |
memory/4708-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2472-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3968-27-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2472-26-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 193dfc9121d3a1805a0c79945671c612 |
| SHA1 | d7e2fddd70c12b27d6af9b82907423731713a205 |
| SHA256 | 576b2ded958940c69732f6941cfff7c6396c6bdf659838c5d4dbbc605ee7caa1 |
| SHA512 | 3e8becd41db0da3dae3d990f36e4be7d3e0ea8388710f2f42a3faa9d6f4b5352c7bd6a3f7e71a53b9ce7f0a9e0f7dbb0b10cca026bccae5811d735e9a7e716bc |
memory/3968-29-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3968-32-0x0000000000400000-0x000000000042D000-memory.dmp