Analysis Overview
SHA256
58e9ca74d03306a409608a7b204c16130ed25c7e8e62192585a72099cec34aca
Threat Level: Known bad
The file b9813b8cdd59c9461f39f793bfb15090_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 10:50
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 10:50
Reported
2024-06-14 10:53
Platform
win7-20240611-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9813b8cdd59c9461f39f793bfb15090_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b9813b8cdd59c9461f39f793bfb15090_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b9813b8cdd59c9461f39f793bfb15090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b9813b8cdd59c9461f39f793bfb15090_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2b3023da1f61bf391c2dee89bc83e3e6 |
| SHA1 | 677756ceab60c5427048b4de2fc331a8e4236b60 |
| SHA256 | c8391a4aa8ac3b0cc5d33e5d4b582ca215e781420a636f2ad99748d87ce36f94 |
| SHA512 | f67a451196b326c3c6e4c6aeea4add22a5964a6bcac7184710d0d45dd90d6c7104567875f964309369203e54342f4ca18d8cde716caeabac1d1deb3e4df92f8b |
\Windows\SysWOW64\omsecor.exe
| MD5 | 38c6175c217be4f0582c58493f663027 |
| SHA1 | 494596c54c1bd589bd81c28c398638f64ada6093 |
| SHA256 | f7cf52e08b883e59055687401c2976e9fdce01d0591ecdba77f5d793c8edc499 |
| SHA512 | b65c119e17e581cf995cd14739afeede9bd98e9cc2b932bb9c0f6618c1da359fbfb007f27f5fc659c1833d577bd354f4674d3f08dcf6af08d43c543b5f594444 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c71b44bb515d014a97e5fbb1961e008b |
| SHA1 | ecef1b134523d6af362f6fbb4697ce7981f5e633 |
| SHA256 | dbb967b4afa06ee816de5e67a3ecb188acbe0c9c0f7db354b83fffb3ac2be143 |
| SHA512 | 6a455ac3e6c0854604c11cbe76600ddf0ddbd618a2adb5edae6e14af1aee5aec566772aea356d50fcfa693b26cd338e6c5dfc83ac12b44ed139a38c6e3eab2c0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 10:50
Reported
2024-06-14 10:53
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b9813b8cdd59c9461f39f793bfb15090_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b9813b8cdd59c9461f39f793bfb15090_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 57.82.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 2b3023da1f61bf391c2dee89bc83e3e6 |
| SHA1 | 677756ceab60c5427048b4de2fc331a8e4236b60 |
| SHA256 | c8391a4aa8ac3b0cc5d33e5d4b582ca215e781420a636f2ad99748d87ce36f94 |
| SHA512 | f67a451196b326c3c6e4c6aeea4add22a5964a6bcac7184710d0d45dd90d6c7104567875f964309369203e54342f4ca18d8cde716caeabac1d1deb3e4df92f8b |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | e4b3bacc19ce3819fd01a1622a5ae2cf |
| SHA1 | a34f68416778bf17cf781accb99bebc5a14c25fd |
| SHA256 | 2c8f1efa0af974f457b8419f9d7d18dc2a2a6f8477d5f82d84ec587746051972 |
| SHA512 | e544f3e2060f106c90bc16fb25252892bffed4a57a3582d9d255313ea0a9974cb80bfe9a88676677539bf01577e4e360ea0a9390c1f3602015b0b8db7034e15f |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 24f49a2edeb3b97743d23d2429e72838 |
| SHA1 | 64c567b52499b19a21c76e3c7a72b181675a6523 |
| SHA256 | bb22604b76c7f436b1cc0bc5b9c74c4d2c78c08b69b3cb482fb68c8b9c215153 |
| SHA512 | af1de16b34ae82a7ee3308e3cf75ff9ebf55ae64dd5960732c3b4db701217114eb504ee904f9b72f76f2bee3015a07b1ba92ee10221ba314cc6c05ac6fd56f10 |