Analysis Overview

score

10^/10

SHA256

9d154e75a17d7bae62b6184f46ee71dc075f1e41f49a27c06053b5a11b161bc0

Threat Level: Known bad

The file bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 11:54

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 11:54

Reported

2024-06-14 11:56

Platform

win7-20240221-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2732 wrote to memory of 2832	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2732 wrote to memory of 2832	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2732 wrote to memory of 2832	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2732 wrote to memory of 2832	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2832 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2832 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2832 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2832 wrote to memory of 2764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2764 wrote to memory of 1032	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 1032	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 1032	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2764 wrote to memory of 1032	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	4e96cf52af02ae799ebc3ad9db09bc63
SHA1	2c316f7ba854890229fa432d8919309fae35d344
SHA256	5614b27f44e484d500352b7b817b8a59ff1a4f9e02c4c29f75fa310068483635
SHA512	1a5bae44c25c42e9a166947080a1cef760a0fcd118b34f8e87b54a400107de5a478bd4861d96710e66db0c86e4416d6f25d5592d9e885912c3888f81245e88f1

\Windows\SysWOW64\omsecor.exe

MD5	10279d95cd4158fb5a6ee6f41d37ac6d
SHA1	20dcd1c47ccc048255175184db76f371972fddfe
SHA256	f38a6d5579f517b097a3a6504f03d3c5f9818ac719903e8dec8918f4430d8050
SHA512	f7bf21022772808149ff777d407869ea25d5375037167a5611665a04b02999736f9b7a01a46d31762d1080d1052ac0052cf3cf0b1c33e223271ec073d48f29c6

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	7fe29871d2bdd2368013745c9e2ca74c
SHA1	ff0b48cc1abf7b7ec9069ae6aafd2445448799de
SHA256	482e6958b243d59ba6a6aee687f7eee04ec0ffbcbc738ef52bfea5fe0ba81c85
SHA512	e5edd13fd90871dc33e5a1ab8176efc43c52025b102d4cbd6dcd7517d8f01cf3ee69d2123ad641aaefd9a2a7f59ef32ad41048945e1b98dcdd25552240463246

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 11:54

Reported

2024-06-14 11:56

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2432 wrote to memory of 1920	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2432 wrote to memory of 1920	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2432 wrote to memory of 1920	N/A	C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2332	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1920 wrote to memory of 2332	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1920 wrote to memory of 2332	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2332 wrote to memory of 4836	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2332 wrote to memory of 4836	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2332 wrote to memory of 4836	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
NL	23.62.61.185:443	www.bing.com	tcp
US	8.8.8.8:53	240.197.17.2.in-addr.arpa	udp
US	8.8.8.8:53	22.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	185.61.62.23.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	65.139.73.23.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53		udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	4e96cf52af02ae799ebc3ad9db09bc63
SHA1	2c316f7ba854890229fa432d8919309fae35d344
SHA256	5614b27f44e484d500352b7b817b8a59ff1a4f9e02c4c29f75fa310068483635
SHA512	1a5bae44c25c42e9a166947080a1cef760a0fcd118b34f8e87b54a400107de5a478bd4861d96710e66db0c86e4416d6f25d5592d9e885912c3888f81245e88f1

C:\Windows\SysWOW64\omsecor.exe

MD5	2f48578168b93e39f2d0c88463cce982
SHA1	02d9accfb4c05a3f2a2beeb9e8c413d8dbc4ba4b
SHA256	9fc4359ae1009466bee1f1e20fcf5c208fcb934546b3c389e75b3c84172ffca8
SHA512	09c083a438495ba0e276b4f3cd40d5b956f40613324e1bbe5d4c5c4f65b36f7ef527985604a7fad0b1de3692beb207615809ba81d0151bc31605b6fa98b97df3

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	bada550b8c1581863e79e2a6bd2c225e
SHA1	f96c38eda4e87f87554c40159de13b81d4a224cf
SHA256	8401952b02fa51d44d1f72ba4153b8c0434d1c51225e6a343507e71d766b4045
SHA512	8deee4988b040cf5ccbb00006295c1b475f3a3dc5e5333691d732bf4b5c26a39d687439b19744d69b80b59862ce0b8bd05443aac602915c592760a35c0ea4007

Sample ID	240614-n2t1natbnq
Target	bd6161ed149578264f2c03d2e441e290_NeikiAnalytics.exe
SHA256	9d154e75a17d7bae62b6184f46ee71dc075f1e41f49a27c06053b5a11b161bc0
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files