Analysis Overview

score

10^/10

SHA256

9715ad119c229dbfba0a69d83806f89993a989a4232af8e877f3f42defe2f2a8

Threat Level: Known bad

The file 1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:36

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:36

Reported

2024-06-16 23:38

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1832 wrote to memory of 1612	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1832 wrote to memory of 1612	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1832 wrote to memory of 1612	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1832 wrote to memory of 1612	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1612 wrote to memory of 1000	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1612 wrote to memory of 1000	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1612 wrote to memory of 1000	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1612 wrote to memory of 1000	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1000 wrote to memory of 2172	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2172	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2172	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 2172	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	1fb41ff7e77a425e56189e23f6d4d3ef
SHA1	bf3ec38aa10b63ceaaef5801b011b633066306d9
SHA256	7d8603e6c939c9ea05653a33382088667a340a9e4859255f0a7b0e12d2673f58
SHA512	94dad93cb5cb9815b97e2799245fec51c621180580a69ad0123fd9b2a26e3e1319eddb11cea4a1449812bb814c33389548b4556dddf53e37b28055e691040853

\Windows\SysWOW64\omsecor.exe

MD5	a5925e74560351e2cabd874efde40d45
SHA1	13b8852f0fadf463f83c1806851a77ecac3f2844
SHA256	484309735c4f8e3c79956c8ada2faaa23a3d791b3b0b4954b9f6c8f4d3d275c8
SHA512	adb400c793ee98fd71a40122aada670a82d46590b140cfa037986047e33d619832c96f236f3c90f64f9cff77704d9526bb1b95fa1da0bfbf822ce52abb46231a

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	9483d53e79ab6dd9e2410005ea2cb14f
SHA1	8d0b99f815043b36fa12edf594e0e83252f592f7
SHA256	aaa8f8bd782ae101d00c2e906caa2e8c447c9ec571da403e79115ad6ace8702b
SHA512	e37de3b2d3da0217f56cc4751d0ef8690b0eb6894a2120c8b7d7be0640cb07e7a4e36d2a998e1f7530282eb632f0d3ed5d02e7073e171e891f4b6d6e7192fdf4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:36

Reported

2024-06-16 23:38

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4824 wrote to memory of 424	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4824 wrote to memory of 424	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4824 wrote to memory of 424	N/A	C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 424 wrote to memory of 4496	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 424 wrote to memory of 4496	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 424 wrote to memory of 4496	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4496 wrote to memory of 4048	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4496 wrote to memory of 4048	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4496 wrote to memory of 4048	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	64.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	57.15.31.184.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	23.236.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	1fb41ff7e77a425e56189e23f6d4d3ef
SHA1	bf3ec38aa10b63ceaaef5801b011b633066306d9
SHA256	7d8603e6c939c9ea05653a33382088667a340a9e4859255f0a7b0e12d2673f58
SHA512	94dad93cb5cb9815b97e2799245fec51c621180580a69ad0123fd9b2a26e3e1319eddb11cea4a1449812bb814c33389548b4556dddf53e37b28055e691040853

C:\Windows\SysWOW64\omsecor.exe

MD5	46b4f948e960d665b202b213d04d1677
SHA1	8dd623fadaa3c88597260ac8c29f6a8c2f7c5001
SHA256	daa1f238206094a4672c9abe50b3672ec9aae17908085a45b425d314d0c168ec
SHA512	d5b04b44523665b966516039667fa837d872700813418af0b3d52da6af61811a40062d3bb90080eb03683fad6c73a3d10d376e40c6234c74a40955d77e82b41e

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a329814429b2354a3e2ac672828363f6
SHA1	26e40f79cdde2e5e2816ca63fce0424ea08bb480
SHA256	ad2105653609d383bee9369491352c605cf882b0ac0c887056f591901b59b73a
SHA512	6eab3f465c7e288ce34ac6ecf2c285fbc7304dc0188c557c1c369c42d1be79a395bd8962119e361f4736372fd0ac78e444ffbee02797c6f0dc29b1f64e4601c4

Sample ID	240616-3ljmbatelf
Target	1dafc5a71b0b9df6215669da9394b2e0_NeikiAnalytics.exe
SHA256	9715ad119c229dbfba0a69d83806f89993a989a4232af8e877f3f42defe2f2a8
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:18

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files