Analysis Overview
SHA256
c7276786d1a89e04a1d6e6bb5d817576ee3335cde2f9b336a8bcd22e86f14421
Threat Level: Known bad
The file 145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-16 22:27
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 22:27
Reported
2024-06-16 22:30
Platform
win7-20240611-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2948-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f6674c3f57a57b47a0afa15ede30281c |
| SHA1 | 5dcf6a2d8bebc003a64e9c3966bc3ed0fd6c0380 |
| SHA256 | 38c1df298dad4a2d9928506ed4957afe6047e398e104941204d2d0a66ea7fdb9 |
| SHA512 | b1a6add5b8b65dbbb20fe86a443cdb6cb1726fb59f03fd55c05aabd01f89569e129fc6cba3e7a85dec2c96f179a0b68c22fd89aae1cedcebbda2fd70571bcc33 |
memory/316-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2948-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/316-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/316-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/316-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/316-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | a07f8e620c5db7dbd476e2b247143d52 |
| SHA1 | fc25fe6b70a379eb291ef1021d803b0c45430e9c |
| SHA256 | 8c4ff3c68f6c1e9b7ef82c275e62050a84b4b5ff04a77cd9e6463c631b4f99b6 |
| SHA512 | 5a01bfc1c474d38373925b75d3322ade58a82adce248d8f33c1fbb2c48438999372532d932c30b4e639ad1ee56c149e86c9ddb57c93ae11cfb705cfe28fb0353 |
memory/316-25-0x0000000001FF0000-0x000000000201D000-memory.dmp
memory/2344-36-0x0000000000400000-0x000000000042D000-memory.dmp
memory/316-32-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 84eba96102911d6916d41de7918275d7 |
| SHA1 | 57f2f051d03d709ebd63871cda590f7211522e55 |
| SHA256 | 6f06840914efde57f9b662fc3da9bd8e74f1a1c0b66aa088fbb0aa68e1d5f240 |
| SHA512 | db621c5238b75894d0f419ba864a3beabe071e38ee1650a6919e247c7ee2611604b2e4ecbcece91d16ffd0fd2108ebd845d035495615b40eadfab995f6e336a1 |
memory/2668-45-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2668-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2668-50-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 22:27
Reported
2024-06-16 22:30
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4572 wrote to memory of 3888 | N/A | C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4572 wrote to memory of 3888 | N/A | C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4572 wrote to memory of 3888 | N/A | C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3888 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3888 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 3888 wrote to memory of 636 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\145c951d205f7efc2a78970edee08690_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
Files
memory/4572-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | f6674c3f57a57b47a0afa15ede30281c |
| SHA1 | 5dcf6a2d8bebc003a64e9c3966bc3ed0fd6c0380 |
| SHA256 | 38c1df298dad4a2d9928506ed4957afe6047e398e104941204d2d0a66ea7fdb9 |
| SHA512 | b1a6add5b8b65dbbb20fe86a443cdb6cb1726fb59f03fd55c05aabd01f89569e129fc6cba3e7a85dec2c96f179a0b68c22fd89aae1cedcebbda2fd70571bcc33 |
memory/4572-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3888-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3888-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3888-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3888-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3888-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 71d066ca86f25c6b976e033d896d494b |
| SHA1 | 53e69bd05916f29bb3245e7c2bfcf603023208f4 |
| SHA256 | 73c9f66bcabb5b5c2d8c886cc62474e09c7164b82cd9eb5c222bfb388743e378 |
| SHA512 | a54e1c156b6d230d53c4f49cd26abff177dcfdc289e5a06204324a05d27fa9ddee0606689f2ff41bd5747f2b9d10828c181b416b34e9a3a6e42b9808cedf12b6 |
memory/3888-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/636-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/636-23-0x0000000000400000-0x000000000042D000-memory.dmp
memory/636-26-0x0000000000400000-0x000000000042D000-memory.dmp