Malware Analysis Report

2024-09-11 08:19

Sample ID 240614-hzs3patbrn
Target abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe
SHA256 cedc4a375cb800c29d793da40aa0ce69f361ab115d5b1e8e311fe00e12eb9129
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cedc4a375cb800c29d793da40aa0ce69f361ab115d5b1e8e311fe00e12eb9129

Threat Level: Known bad

The file abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:10

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:10

Reported

2024-06-14 07:13

Platform

win7-20240221-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1924 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2060 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2060 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2060 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2060 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2792 wrote to memory of 1832 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1832 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1832 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2792 wrote to memory of 1832 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 01b7d9c2a69d380fbd154aecc1ce5204
SHA1 459c716a9f577a153506898fb43415f29e4f8fa0
SHA256 e96f698fc51236fb5b654e4afb6a7a9f44752e7d752974f7654f6e6cd4e09cd8
SHA512 de80aba95a35992eb27bb296bae1470f569ccc52e31c64710e65178e3335dab175098a59472e880d9d5bb056fa0fca3ba65bfc8124add1bcbc37f081f1b71cb4

\Windows\SysWOW64\omsecor.exe

MD5 418b31a7a976a96ab11863547ab768e6
SHA1 40118c25458ca44d7cab994d3484ecc741dfa031
SHA256 8f8738fbfd1dc31cc82a16e04806f0e5acf27a8b11c38fbedb94b067787d627c
SHA512 fa8d5ca8c0e78aaf1611038da263d5f35a83c387fb18369029fbe5e51ebb6559a2edc33231da6f30b24e8b389683f2d5c42e9f2adbc940a3a41eec7dfdb4894c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 76fdec3a05febe3e4f011c8568a441d0
SHA1 2ecd0e627918c8946512c0e011973e52ceeee86e
SHA256 93ef7af39f62b399a74c3983e889c162f12be4310a40283c8a3bbd78b2688955
SHA512 bcffd196b1234a82a1ee5912766ed09f0f52e4c015f5577d7ef692660e6e14f793abfd85a69b465e5c94e77de6bcae6b5d58b34ac4f8bfa2a61e569ad2b5591d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 07:10

Reported

2024-06-14 07:13

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1408 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1408 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4824 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2308 wrote to memory of 2776 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2308 wrote to memory of 2776 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2308 wrote to memory of 2776 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\abe39f87829d467f9a0ad0e7d365cff0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 01b7d9c2a69d380fbd154aecc1ce5204
SHA1 459c716a9f577a153506898fb43415f29e4f8fa0
SHA256 e96f698fc51236fb5b654e4afb6a7a9f44752e7d752974f7654f6e6cd4e09cd8
SHA512 de80aba95a35992eb27bb296bae1470f569ccc52e31c64710e65178e3335dab175098a59472e880d9d5bb056fa0fca3ba65bfc8124add1bcbc37f081f1b71cb4

C:\Windows\SysWOW64\omsecor.exe

MD5 56bad68c6da070d40533bf340d04caa1
SHA1 a2571a05c99121f3ca0a0c04eae2a513a1460260
SHA256 b577eaf0237baa1d5a6158269ac56520e1cf37da2b68313f9cf965bb36cbabc4
SHA512 be4080514e5175e2e20de02f7e36029f9bae553ff152f7da41d90dbe3e43a5f3a5afe56eac6af866344138baaf7686e245973e7e0c79781b4172ae8c78a56284

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e1d72ac06f9fb3d9d2eb896ea9597f22
SHA1 cc24564b66e1b3dc3e859cb2face249985ee71e0
SHA256 c57b2732ca7f8f5b772d4975b43938fb0624221eba96cf7c5a850e0a03658f3a
SHA512 4367c6dad8000d58906d3b227a73852099425ddfc55dbdc0d4c9b289f9747aee100c6043a2fc380f638b5e29cc77719ae78788abe4586fc15fb04e7a72f09dba