Malware Analysis Report

2024-09-11 08:31

Sample ID 240614-hdvdmaydrb
Target a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe
SHA256 67feaee6b5771d4b1b3ede1d9cfc2a4ec985d8b59f61c2caded048adcf31df50
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67feaee6b5771d4b1b3ede1d9cfc2a4ec985d8b59f61c2caded048adcf31df50

Threat Level: Known bad

The file a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:37

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:37

Reported

2024-06-14 06:40

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1888 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1888 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1464 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1464 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1464 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1040 wrote to memory of 1216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1040 wrote to memory of 1216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1040 wrote to memory of 1216 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f6d6706646bfde3d41022de6259ef3d4
SHA1 3cef8c63b4779ee3436825660c760c8d2c6ebbce
SHA256 59afa0e9fbd4b3b7b47efdaf5bc717002492cdcd1ec238dd8a702ae2878ab99c
SHA512 b3d69a4edf3e81e7bf0028420eac0b69742e1396130a0b599df3b72d208f40616f87808f86ce5b33ea319e6937a864b52c2539e0b4a8ca551f9821653daaff83

C:\Windows\SysWOW64\omsecor.exe

MD5 ba3712e68faec10382389389867107c1
SHA1 789b71a9ce19b65c5080491f63087b23fda48f2e
SHA256 c22883e2960337677fbcff86a3930130bb1f7d14ea34ab68d32529f547a7be74
SHA512 2d95480e86b8f1a9be4bee88272e7652f1e83cb26d5b7cd4d0c80cd9bdd2589fb6886cc0be084e6bec9fcc726c08a39e77bb44ecf6c5f9ebacbbda0371300b76

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a5f7fb708c8553ae146b45d6b6b39a86
SHA1 f21c9385a30acbe9bf180c8256df1908215d1034
SHA256 b1ca4397a180f7814863412af21a9443ab6d2828a4c87f89d6ab67ff9be02e72
SHA512 c8943d78fa8a36df66cb6bd1016ff2cbb0d01ab0aa5203bcf8e41f8658e38da4e8763bf166679eca4f906153f85b16c128d1b528726c12d157de191b4d13d204

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:37

Reported

2024-06-14 06:40

Platform

win7-20240611-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2412 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2432 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2432 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2432 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2432 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2116 wrote to memory of 1656 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 1656 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 1656 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2116 wrote to memory of 1656 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a9c715390c969d77d29f1182df6fec60_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f6d6706646bfde3d41022de6259ef3d4
SHA1 3cef8c63b4779ee3436825660c760c8d2c6ebbce
SHA256 59afa0e9fbd4b3b7b47efdaf5bc717002492cdcd1ec238dd8a702ae2878ab99c
SHA512 b3d69a4edf3e81e7bf0028420eac0b69742e1396130a0b599df3b72d208f40616f87808f86ce5b33ea319e6937a864b52c2539e0b4a8ca551f9821653daaff83

\Windows\SysWOW64\omsecor.exe

MD5 60de64f4cb927ac206881e5ef777f2a9
SHA1 c07273f9bc2f887ebe70375dd489268ebcea6a8f
SHA256 5d5782b542a029e8872c063b622a27f5991532c6036dd762e7e1f11e427c643c
SHA512 5f74784b2ae66ea7551749617ea7ea742f77a7fddcc10289e135d9211a1abbfcd0d1f222347bfbb434514ea6aca623730519776005d68c6397603fea9ca3f78a

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 d40e6143e9592d167cd624c84009d8fa
SHA1 04d2086b96c8ee37e3a81f5934591f50bcbe654d
SHA256 1d314bace7ee7e853d2192e86b3ddf7c2f3fed1959386e559ec3ccb1119a8cd3
SHA512 8d7d815f496c09b6bb24e16746e3a216eb24bda472e19ca4f05f74b4f59fb2438e530cc3004d0b51d16763ba11882911a44654c733bbe08629449f97c2f2236c