Analysis Overview

score

10^/10

SHA256

1d63443a36aa59793ebca67f0e62b738ab8638ffdecd3ccf594aafb3f4c220d3

Threat Level: Known bad

The file ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 11:05

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 11:05

Reported

2024-06-14 11:08

Platform

win7-20240611-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2876 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2932 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2932 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2932 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2932 wrote to memory of 316	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 316 wrote to memory of 1268	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 316 wrote to memory of 1268	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 316 wrote to memory of 1268	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 316 wrote to memory of 1268	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	14ec5fe0bfe90112f05964ef4502afe4
SHA1	7bb080015976e53a0e51eb3e411e3c05c913035e
SHA256	39f801bcbcc2dc0381430b548871b30b0567a28f392df3adbfdff72200743ca1
SHA512	e0adebf7a2ed68903733c7c7644d56cb7ce33924803aace87cac17246a8f503deb0586af74bcf30222bca6bb91221a44c6f7c02923f12481dce1ceb792044647

\Windows\SysWOW64\omsecor.exe

MD5	7eca8a8f8e3aab74d784bb3ab7a92d50
SHA1	249a29480d8a5e6166cc2eb359cc0f25a17693d5
SHA256	a9e8ba2fb071622ffb008eb6b6c08e5d7273a50dbfe9b47c204e00a66e8b6a3d
SHA512	84eb99892890a9fba4c3bbb59c678f4e6ba8f808f3cfa18a6167974cc483f524e26a301d77058bdc04551a80f55b95ca226729a6520078fa67c7481351682553

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	439578766c70218f242460e1f0b53eb2
SHA1	6b0410032ceb645b7e1cfce73fc5a87f1fd21d1d
SHA256	1d5c786ddf00ee41f566adf791d16eb6767fb41b1344991caa36c17d37bc75a2
SHA512	e227df5f8f44f03fb12c6d38d85b37240db16312dc94d29f54b5ec03e15353d4d0b4b13e2dbed28b1d1ea8f30e617ff3217621b705d1fc1bf56ea49bc74fc612

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 11:05

Reported

2024-06-14 11:08

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2364 wrote to memory of 4392	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 4392	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 4392	N/A	C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4392 wrote to memory of 3248	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4392 wrote to memory of 3248	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4392 wrote to memory of 3248	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3248 wrote to memory of 4332	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3248 wrote to memory of 4332	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3248 wrote to memory of 4332	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	14ec5fe0bfe90112f05964ef4502afe4
SHA1	7bb080015976e53a0e51eb3e411e3c05c913035e
SHA256	39f801bcbcc2dc0381430b548871b30b0567a28f392df3adbfdff72200743ca1
SHA512	e0adebf7a2ed68903733c7c7644d56cb7ce33924803aace87cac17246a8f503deb0586af74bcf30222bca6bb91221a44c6f7c02923f12481dce1ceb792044647

C:\Windows\SysWOW64\omsecor.exe

MD5	28ddd4fc23543a15d924f854a3051c3e
SHA1	7eefcae90b45608c8bf87e8ecc27d324ab1ca0e3
SHA256	a2e25d68d366f1864a671694ee00c227bdd8ac2e067f42c442bed7b3cda95a01
SHA512	3b1630846649e5a4b02f50c433eff8cf2602eb32dce12c79eca03f46446869a53d8ae79a90b9b2b0b1e8b29695e5061f641a342a2d62ba8479543d7cbf4eca21

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	b8599b5fed73e8d32bf41b776240dae0
SHA1	2a71c3215b25efa33dc467e4cc6cee91e528a425
SHA256	d60de7a766d7254ce0deaef0fd6e91b736c4b033414dfa2eddc0f43d2dcfdbde
SHA512	986c9ce5606893e73234fa4fe5d5c7fe5b198adc197f03812cc0463934def85a471e3b96df9b9ff0f5443e0094ae9a3c0b3fc36167de71b6a58172bb93b7a076

Sample ID	240614-m678ea1hjp
Target	ba59f6eae350fde25bc771d7732cfaa0_NeikiAnalytics.exe
SHA256	1d63443a36aa59793ebca67f0e62b738ab8638ffdecd3ccf594aafb3f4c220d3
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files