Analysis Overview

score

10^/10

SHA256

59d80e909f694f3a60be98c013a178533659164fc655928ff6a29f337d1bcf82

Threat Level: Known bad

The file a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:38

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:38

Reported

2024-06-14 04:41

Platform

win7-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2452 wrote to memory of 948	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2452 wrote to memory of 948	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2452 wrote to memory of 948	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2452 wrote to memory of 948	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 948 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 948 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 948 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 948 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2764 wrote to memory of 2884	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2884	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2884	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2884	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	92d86ee31a04ede6d6fd8034043a10f7
SHA1	7d8f32d68346c407f980f6dfefd0c708f2c4f076
SHA256	4dbbe142381531f1d5c98674d95f9c2ef3fdeec84ee25e560f6192a394c17d8f
SHA512	d219a83ded690cd4aa672d110511aefd6e3ce32dcfa54b3ea544e7638ddf3df0f8277a9f829d364f107c379cd99a71ae0600f9b703875fb14c74e8d7cc98e226

\Windows\SysWOW64\omsecor.exe

MD5	a40156730591a21e96d2a874695bc468
SHA1	38afcc0e3b3dc952688e40112293284101ed8658
SHA256	acebb537dae80191a622f48b52f49b18bae0cbee88b4c90a84a66ae86317f194
SHA512	79e0af56aca83cd37d3e1cc67322d35a3e44601f3263fd4eacfcfe663f9c47a2793f7a070aebf0090a192d22e4121cf29daae595eaf4c72f6dc6ff3e81ad4633

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	f5332583cb4cc0bd156a595080a17424
SHA1	790712d4d6a952bcfeb852f2f53d29d290051c97
SHA256	a8a9a1ab4d21b8e398075d309c38efdf0ad23cd682ef3dd64e361ecdaf7ac282
SHA512	0799385f693ea192435af917eb266a8ef22da4ecf168e599bf3ed7b0bd7870d51f6fad55e996f92a7cf641d13a393e5259576b336dedcf1a8bc6223f1aac87e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:38

Reported

2024-06-14 04:41

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4352 wrote to memory of 2484	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4352 wrote to memory of 2484	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4352 wrote to memory of 2484	N/A	C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2484 wrote to memory of 4392	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2484 wrote to memory of 4392	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2484 wrote to memory of 4392	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4392 wrote to memory of 3580	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4392 wrote to memory of 3580	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4392 wrote to memory of 3580	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	92d86ee31a04ede6d6fd8034043a10f7
SHA1	7d8f32d68346c407f980f6dfefd0c708f2c4f076
SHA256	4dbbe142381531f1d5c98674d95f9c2ef3fdeec84ee25e560f6192a394c17d8f
SHA512	d219a83ded690cd4aa672d110511aefd6e3ce32dcfa54b3ea544e7638ddf3df0f8277a9f829d364f107c379cd99a71ae0600f9b703875fb14c74e8d7cc98e226

C:\Windows\SysWOW64\omsecor.exe

MD5	d29d8f113cbce4cae3da1f92911f7873
SHA1	c409a1c412bf539aa46cb996da99df307382ff64
SHA256	5dba71cca6ae5a1b3f1da8400a99af674d70424ea8f16230c6443c2113941856
SHA512	35b85dce94f0c12f5bcdc1a68f88476fd914f1febc838c3347b1acb327bd6d5f24ed10fb42aa778c4934a89dd4a190e630b9515b09f5bee1f63fa916629d5cba

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a11fe8ae25761ddf72f854a833baa679
SHA1	46943e2faee82f1bd341e74fb3990d4fa37509f1
SHA256	7238775a7cbf6812281594ce4207799401c1f8b00805be606d5897dea525a80b
SHA512	0c8c0218cf8d58b16fcd788eff5ae41a8c1bdaa081df619652cd7f868935250be533c55e722d1f4fdcd0b15de68d542f54c8ef623bfac97da2aed6f567ef50e0

Sample ID	240614-e9sccsyhpp
Target	a2b7f555bbecdcd659eb50d196d48760_NeikiAnalytics.exe
SHA256	59d80e909f694f3a60be98c013a178533659164fc655928ff6a29f337d1bcf82
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:30

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files