Analysis Overview

score

10^/10

SHA256

c0357621f3372c91b3874d5cc37d9e60c39b9845dfc47416c5c6ef72cf6afe81

Threat Level: Known bad

The file acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:26

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win7-20240611-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2784 wrote to memory of 2004	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2784 wrote to memory of 2004	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2784 wrote to memory of 2004	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2784 wrote to memory of 2004	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2004 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2004 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2004 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2004 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2688 wrote to memory of 936	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2688 wrote to memory of 936	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2688 wrote to memory of 936	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2688 wrote to memory of 936	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	cfac49f949cb5c961bdde4bdfdc42983
SHA1	ad4c5f2a0adadc0acb525b266941cdbe5dcb4874
SHA256	7945e8c481eec7e279d96fe35916fa458cc9cae4ed8d67868ae52e4d0940f5e5
SHA512	5e883e7bfc3b1e05a01160a55d8914abea5e37e569f9942f3e77bffae4450871fb516d9e7a1de5b29ed9bbe115bce7eeb21207ae89859f84431f13d0bcf2fb76

\Windows\SysWOW64\omsecor.exe

MD5	d0a1bb71f10b85cfe171fb3caa7bf20d
SHA1	69952974643a7f12bcaf9588d6f0a93d07405eed
SHA256	e73e2ed0a275ed735cd89149084ce3c24feb0907c09a0ab388696434c4e45d2a
SHA512	58acf8ce4594d854f084de06b847a7f11d4927de095a4eb93f067fe8a5d0aeb3a3b0af48482a8bbae264fdd114255993b1488949ddefd02d46e7722f36cea520

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	332d9fa8ebf797cf943e09bfb9cbdf81
SHA1	a1746c5ab057619753d6e6cc9361e9b5ad9b2a81
SHA256	ed792f6df8669c0170fe09f33a03b2080cdd71d9d8840c32139732465f4937d0
SHA512	507c66402174a50885376774c024b5501f7e1502f6f3f28b3ffe520ad171d1de6023623ca06044f2f468fe7141b04193ec19b46374b87092844ae6fb6dd4e076

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:29

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1460 wrote to memory of 856	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1460 wrote to memory of 856	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1460 wrote to memory of 856	N/A	C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 856 wrote to memory of 2436	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 856 wrote to memory of 2436	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 856 wrote to memory of 2436	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2436 wrote to memory of 404	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 wrote to memory of 404	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2436 wrote to memory of 404	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	cfac49f949cb5c961bdde4bdfdc42983
SHA1	ad4c5f2a0adadc0acb525b266941cdbe5dcb4874
SHA256	7945e8c481eec7e279d96fe35916fa458cc9cae4ed8d67868ae52e4d0940f5e5
SHA512	5e883e7bfc3b1e05a01160a55d8914abea5e37e569f9942f3e77bffae4450871fb516d9e7a1de5b29ed9bbe115bce7eeb21207ae89859f84431f13d0bcf2fb76

C:\Windows\SysWOW64\omsecor.exe

MD5	a48c8394c197d784aaffe12860f444dd
SHA1	9b97c2cfdca270394bf490edbbf2ed36dd541ce7
SHA256	14c2936a9502340f155998139ba0781168bfb98efba08a163cee3493e06dc6f4
SHA512	a10cc00be2b574b06ab240f98737499a2a2282f2d0ae23061900c5cc3438d541191d3931f7855d2a8517d4070452171ff423512d916cee9d4f20bb12c650a305

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	f623bc6fd2e06062c3862ed90fd2f7cd
SHA1	ef595a7b21913de9271b067bdeb9a472fdcc25be
SHA256	15b1f41f624b0df27e0a416db5ec3cfea413991e7ddcc030c3b42707ecc72124
SHA512	35bd9ba4c31fdd34d5a0123f8319fd5165a9a3959cb117f84a1d452b23ee5c3bb9a5d6fe9bf4902fa9bbe52d4a63be390c5f0ae0fb427b07af01892542fabfd0

Sample ID	240614-h9xtmateqk
Target	acd4b40faf65a41513897eece1a8a4b0_NeikiAnalytics.exe
SHA256	c0357621f3372c91b3874d5cc37d9e60c39b9845dfc47416c5c6ef72cf6afe81
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:19

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files