Analysis Overview

score

10^/10

SHA256

0e243dda68b30d5dd311c4e25e6da803e5875578237e2d781527b9909a5dcff9

Threat Level: Known bad

The file 978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:34

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:34

Reported

2024-06-14 01:36

Platform

win7-20240220-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2040 wrote to memory of 864	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2040 wrote to memory of 864	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2040 wrote to memory of 864	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2040 wrote to memory of 864	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 864 wrote to memory of 2736	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 864 wrote to memory of 2736	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 864 wrote to memory of 2736	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 864 wrote to memory of 2736	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2736 wrote to memory of 1904	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 1904	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 1904	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2736 wrote to memory of 1904	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/2040-0-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	f3bbd2bec3771badd150256cc31f98dc
SHA1	3bbcfd36c28f92ef772655f2984ec1ce6a974248
SHA256	992dc339ac0e5703e362d6126d3128439f053bec39c765279ad593a79d2c935e
SHA512	4766a816ffcb54ccc295e22f2b008cbdab0faa0149b3a65147f2ff8c6a97108f14e44f58f4bc639f07672565012856243e86a2320090ed33087ff40eabf03141

memory/2040-11-0x0000000000400000-0x000000000042A000-memory.dmp

memory/864-13-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2040-9-0x00000000001B0000-0x00000000001DA000-memory.dmp

memory/2040-8-0x00000000001B0000-0x00000000001DA000-memory.dmp

memory/864-14-0x0000000000400000-0x000000000042A000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	15d8d734874bfbba754e78d14ec87b2c
SHA1	3985009e40ec853c6551365bd2800e92dc524408
SHA256	cbe1492161d9cb98fcd03c97c8e188c7ecbd5f5eb2888e371647fa470ded2fb3
SHA512	226b0a09f855cf11cd5e7e7b8fcde68a6eb16a00ffb0687accc51bab8303c907d4d22a7d965db7fdc3869969afd37e70a6db74a9b61cadcae29262cc023bb7e4

memory/864-20-0x0000000001F70000-0x0000000001F9A000-memory.dmp

memory/2736-29-0x0000000000400000-0x000000000042A000-memory.dmp

memory/864-25-0x0000000000400000-0x000000000042A000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	2bc177615bf74eb11516e5e57d770f47
SHA1	66117d0db002307c326b1aa0d95f818d27541010
SHA256	a3772d93448c93a3698f467b6879b20796c1adb31cc0573e2d3b1c03097788f7
SHA512	b4bb458130053a15ea62b4ef1b6af0a77b4e9eb0e5c59d493ca0167ce14b21429ac2a7b903c3c6d3e462d9a3bcd24bfeb56513c632c2ad496a7e1da3e336b04d

memory/1904-37-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1904-39-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:34

Reported

2024-06-14 01:36

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 896 wrote to memory of 1328	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 896 wrote to memory of 1328	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 896 wrote to memory of 1328	N/A	C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1328 wrote to memory of 4960	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1328 wrote to memory of 4960	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1328 wrote to memory of 4960	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4960 wrote to memory of 572	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4960 wrote to memory of 572	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4960 wrote to memory of 572	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	22.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	89.43.201.23.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	57.15.31.184.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	88.65.42.20.in-addr.arpa	udp

Files

memory/896-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1328-4-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	f3bbd2bec3771badd150256cc31f98dc
SHA1	3bbcfd36c28f92ef772655f2984ec1ce6a974248
SHA256	992dc339ac0e5703e362d6126d3128439f053bec39c765279ad593a79d2c935e
SHA512	4766a816ffcb54ccc295e22f2b008cbdab0faa0149b3a65147f2ff8c6a97108f14e44f58f4bc639f07672565012856243e86a2320090ed33087ff40eabf03141

memory/896-5-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1328-7-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	1127c4bac1db5321e6fcad0dc1514556
SHA1	588ff085689fdd5a6f016424d4309afaded4727e
SHA256	beffb5dacfc7762549d0acc9af84782c78f109aaad2e63db6d12dd5991a77693
SHA512	229ca5452831bffd18e34cdbcc95492290846d839d37a19a58d6b2a28a3c107d30d78eb49438cb3cb6adb72809eb1ff93ed3bef9cea104c045fd6c4e23356007

memory/1328-12-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4960-13-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	9206346fe013c7d8f25e05f0349148e6
SHA1	e93fadd93e37eb07edf2f2165d8d428a91af8aef
SHA256	45424173ad0656f94ac7cc9ff96b5d890e64efcc6091a6550003e005e36be9b7
SHA512	4c846def2d985c815c82c4146551da2c13e7626e205d70f6ec81d131262c91f5aa5df1777f56ed9e55189b955acaf684c2bf92ce6455eedd328fcb93fed7af18

memory/4960-17-0x0000000000400000-0x000000000042A000-memory.dmp

memory/572-18-0x0000000000400000-0x000000000042A000-memory.dmp

memory/572-20-0x0000000000400000-0x000000000042A000-memory.dmp

Sample ID	240614-by7q5aterr
Target	978a02a8353a4f84c3484bb8e4659ea0_NeikiAnalytics.exe
SHA256	0e243dda68b30d5dd311c4e25e6da803e5875578237e2d781527b9909a5dcff9
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files