Analysis Overview

score

10^/10

SHA256

60645d9e3738400a871a7222012abe40b6fece8ba345753f44974284203fa8fd

Threat Level: Known bad

The file c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 01:08

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 01:08

Reported

2024-06-16 01:10

Platform

win7-20240220-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1620 wrote to memory of 2908	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1620 wrote to memory of 2908	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1620 wrote to memory of 2908	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1620 wrote to memory of 2908	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 396	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 396	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 396	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 396	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 396 wrote to memory of 1644	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 396 wrote to memory of 1644	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 396 wrote to memory of 1644	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 396 wrote to memory of 1644	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	2add9806b7b0353a0d49558873dfbf23
SHA1	6d397fce01ccf06f2e4ccde55438c4dcdaa2b4c6
SHA256	36aedcabe80f4510d6109d1b6b0fefb9babeaaf6f73e9ead2ef370050eaad211
SHA512	fc373238d079d2cc3bfba893a50f4b54e248ea9ba9aa9253a0956efa8501968b1c64dba27515143088266b5c87cd52c57107cbeb85152dcffa114e6d1e34ff47

\Windows\SysWOW64\omsecor.exe

MD5	b370047c99c93e05af956111323cc859
SHA1	9e12b26d9fa685be8be5848c4dba0ce2035a3e87
SHA256	a213b7d1ea20c4eeafdcbfae78c6a5dca13e0760d8715d59ae0823bfca746049
SHA512	a015e52ae6651fec52701577c90fb4fb88ed53f9d3913534df678f0245239b2f81e59e0fdf3e2bd148b0bf63a972089c0a951d02092a1d14c3c9cd07ea46c8a8

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	430c920f8eeeaf41422be7e43e63d752
SHA1	c0dfa8674584bd7f6848b3d0b0af0335a4737fc4
SHA256	8ecc80587db13f2ccd1a77b55e54193d0f5a9d4e18e6d9d41d04fb92b016cb40
SHA512	98b242540dfe1c2b89fc69fc36ee1cd47ab1adc7b66456b3d10a33eb38c0b865c026da445bf6fa0f02bd0cedd3bea15d384f7e1f8514c1bd17b824ebf2043924

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 01:08

Reported

2024-06-16 01:10

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4392 wrote to memory of 1376	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4392 wrote to memory of 1376	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4392 wrote to memory of 1376	N/A	C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1376 wrote to memory of 2208	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1376 wrote to memory of 2208	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1376 wrote to memory of 2208	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2208 wrote to memory of 2588	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2208 wrote to memory of 2588	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2208 wrote to memory of 2588	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	2add9806b7b0353a0d49558873dfbf23
SHA1	6d397fce01ccf06f2e4ccde55438c4dcdaa2b4c6
SHA256	36aedcabe80f4510d6109d1b6b0fefb9babeaaf6f73e9ead2ef370050eaad211
SHA512	fc373238d079d2cc3bfba893a50f4b54e248ea9ba9aa9253a0956efa8501968b1c64dba27515143088266b5c87cd52c57107cbeb85152dcffa114e6d1e34ff47

C:\Windows\SysWOW64\omsecor.exe

MD5	323826a7316457b060cb55a3c9fab4cb
SHA1	6214c236b8d37881670a4722caae90426857eb5a
SHA256	da112799c697f25020e2e4d2d9cbcb39fdec200a522b8be11103304aede27102
SHA512	3006dac63d848ae2acb3f1ad148817a055ce7afbbc5d3301d45e7b8c104a749a8e4f3dca648941de383d28914b7848cec572a0401495e290f737921df6cbd575

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	c3fe7b15273f07fea4726268e217bd4a
SHA1	b3cbe1227d035d2bf2e8e8d4dd32247cddecc5d0
SHA256	9d06d1ca1e5a43b2cb6f531f0ad6f8859c68e941e859b93f49066b4837e4d455
SHA512	7ae3b9d4b6b1c51999c824537454509b7849b9af00ae6729e13ebbfe83932056433df2fc0082423a2407ff9cebf6af2018ed83e0fbb40fc348418ac21bbf169c

Sample ID	240616-bhafpawhmk
Target	c890d6c1fccf98a10fc37e228d463190_NeikiAnalytics.exe
SHA256	60645d9e3738400a871a7222012abe40b6fece8ba345753f44974284203fa8fd
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:31

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files