Analysis Overview

score

10^/10

SHA256

b0345cbeb7ea4984a4b2a4f978cd5ff9db0be93c282a690b6dbc4410ef0f8228

Threat Level: Known bad

The file ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 11:07

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 11:07

Reported

2024-06-14 11:10

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2348 wrote to memory of 1720	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 1720	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 1720	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2348 wrote to memory of 1720	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1720 wrote to memory of 1244	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1720 wrote to memory of 1244	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1720 wrote to memory of 1244	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1720 wrote to memory of 1244	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1244 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1244 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1244 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1244 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	fc7cc6c33bb4473830a6d2e65fe4824c
SHA1	7e4ae585056a8bb25a93e4223a30ee8954b79287
SHA256	26a5c726e99698e82a34dbd4c72cdbcbc52c0e3a6687ba39bbe07db0fe3e1539
SHA512	7f753a9a5d455d69b821804a6d6de4e64c7a64d20935bf2e52f527061e2d97eac0f39acd3df558b601676180c64642fe30c1e2e7988ea063c901113da2233f50

\Windows\SysWOW64\omsecor.exe

MD5	f9fc645305e4590860dcd2e6d2cef9fc
SHA1	9df70deb49a00c9891a9dbbc1ee8f60213a59bdb
SHA256	f097c88c68e5503afa0ae16e2c02f5ae921f54be83d6398953800c939fbbb858
SHA512	3bb26c9494d651166006b07b5cc3c94b3c94c82026139ca7ac499aa6f9c3a7c79d4fb46e9a946fe4c1c9baed7bc7b57067386ea97cbe40f6bf097e66014610a8

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	08a55bda847f5db8c7d40d744c664e9a
SHA1	7b57e10448dd876e437cf804ab5bddece8c53ef0
SHA256	8ab9739a341e5f83f5f86686fa399871fe77f217eae50ddcd5c56e3d85d9c3fb
SHA512	c4fe337465834f92dd286903e6c99f3eeb78fcd379967d64e04aedcb5036d4f711aa303517a61f41fe3da6d1892eccfdd9dea1a52f6653c72eeb1492e427e9e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 11:07

Reported

2024-06-14 11:10

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2668 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2668 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2764 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2764 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2356 wrote to memory of 2700	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2356 wrote to memory of 2700	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2356 wrote to memory of 2700	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.99:443	www.bing.com	tcp
US	8.8.8.8:53	68.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	81.144.22.2.in-addr.arpa	udp
US	8.8.8.8:53	99.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	35.56.20.217.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	73.144.22.2.in-addr.arpa	udp
US	8.8.8.8:53	31.243.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	fc7cc6c33bb4473830a6d2e65fe4824c
SHA1	7e4ae585056a8bb25a93e4223a30ee8954b79287
SHA256	26a5c726e99698e82a34dbd4c72cdbcbc52c0e3a6687ba39bbe07db0fe3e1539
SHA512	7f753a9a5d455d69b821804a6d6de4e64c7a64d20935bf2e52f527061e2d97eac0f39acd3df558b601676180c64642fe30c1e2e7988ea063c901113da2233f50

C:\Windows\SysWOW64\omsecor.exe

MD5	00ce2305a589ba3256a9d3dd302f972b
SHA1	b9e58f2bdb04e607c6b9fd906dd87afaec2e5698
SHA256	b8445153d1baffbc15f919a73f7902e0017240d35d94a050500ed30d774fd05c
SHA512	3210c322ef09269628430adc80d0c6382579430439a72933fd18469c4494faa891f8bb0a64c12aaa3ecf39b0a190c31bd9815a08fbb66d4c7d053d1b7fc945a1

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	5a368bdd0b1bc414e11e4f8c5cbc2be6
SHA1	b339c7674cff2310c0904cc3b184a898f79c299c
SHA256	27d8fbcbca8cc13a5ddb00e27d3a5d501144533084ca89b169f84b83ead441cb
SHA512	c57c2257678693fa0eed9ba6c833ea96aeebd5e99a284c5cc9807eddc6bb42a6f720624862e94dd49c8f83d5df8fd76d7df8a2dacb091fd44f29aaf35d407c33

Sample ID	240614-m8ad6a1hmj
Target	ba76ace7ffbaa9b698d5a43dfef80740_NeikiAnalytics.exe
SHA256	b0345cbeb7ea4984a4b2a4f978cd5ff9db0be93c282a690b6dbc4410ef0f8228
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files