Analysis Overview

score

10^/10

SHA256

39a9abfc351c42944b06c38d721267d86b4ced1a219a551cec4a0245c97a7357

Threat Level: Known bad

The file cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 02:56

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 02:56

Reported

2024-06-16 02:58

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3968 wrote to memory of 384	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3968 wrote to memory of 384	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3968 wrote to memory of 384	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 384 wrote to memory of 2908	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 384 wrote to memory of 2908	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 384 wrote to memory of 2908	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2908 wrote to memory of 1056	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 1056	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2908 wrote to memory of 1056	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	52.182.143.211:443		tcp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a387ee943426bfb14be3435e1bd1300d
SHA1	6ed081bf1bb89c2f6ce9f6b39a432fd5e304cf19
SHA256	b02c00c654617f259c8391128e824944ce663d588300c17322ccb78a45b2201f
SHA512	307f94eaacb78d6e045bfdf59b07a45cfe66b0aa5f09ee3c1ba4bef8de753a7ed3eca43bcc434e48b4a93ef39a7f506b97c780a57c06a6b4938ad87ba3eee054

C:\Windows\SysWOW64\omsecor.exe

MD5	c07f48a0d5b52234a96ceab192db0a53
SHA1	86dc6a885ea39aeeca568ba39ddc407261a8d370
SHA256	6966d7d961e4eb3bf13b128d887a3733bc813cd676378a3462d6b6c802b02839
SHA512	7ef2aec3171761d53ef8c67198df15feb3bd189487ad2d1525d17b49a1a269bac31dd89151104af0c897a6845592018268a6b68de6a0ce86d0191907e21ef7de

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	618e669e79a46fd7c560ff3142653ab1
SHA1	56b4f209c070e47ddb5b35e2f550a5c7192f251c
SHA256	b1c923ddae8f123c0f507f95fe71b3f69b8d97cfb8074bc09532e3af7817d285
SHA512	6e49952e68af2202997e07c3f0104b42f8be07289077ba416aca9691e3286bd5f15bf4910ca17a97b111a9c6d1bebb59d684da7473a97148bc3e8f81326505ff

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 02:56

Reported

2024-06-16 02:58

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2956 wrote to memory of 2976	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2956 wrote to memory of 2976	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2956 wrote to memory of 2976	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2956 wrote to memory of 2976	N/A	C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2976 wrote to memory of 2180	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2976 wrote to memory of 2180	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2976 wrote to memory of 2180	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2976 wrote to memory of 2180	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2180 wrote to memory of 1932	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 1932	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 1932	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2180 wrote to memory of 1932	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a387ee943426bfb14be3435e1bd1300d
SHA1	6ed081bf1bb89c2f6ce9f6b39a432fd5e304cf19
SHA256	b02c00c654617f259c8391128e824944ce663d588300c17322ccb78a45b2201f
SHA512	307f94eaacb78d6e045bfdf59b07a45cfe66b0aa5f09ee3c1ba4bef8de753a7ed3eca43bcc434e48b4a93ef39a7f506b97c780a57c06a6b4938ad87ba3eee054

\Windows\SysWOW64\omsecor.exe

MD5	698635dc8190c5be888aac8ba46be04e
SHA1	132fa6162dbbb5151def45a75236b0bbf87c12b1
SHA256	723db278d928d6cf135e3d7e945fdbd6f42a8b9dc89bf9f2022f7a9072903098
SHA512	f522c0a8c79a61fa4b411af0931a70555e7465e60322f0b14b2ae21380ba02fa0b87bfeb8ff8f5ab6004964f7c2d3b351757b30608c601d12d3a82daa6d538d3

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	d1c01b564ec519bc8d351038da1069cd
SHA1	3a87821bbb933e6bbe72e346b9eebac6d82ea9cb
SHA256	bf506a6752512e727b0f95970225ab3d4677de4969059574624d2f72db691c40
SHA512	c6641ce8726ee37cf44cc4b5a996f104fac25459781230a1b30dd64ca7b9a0b082c107b9ccedf4ae0ed807d65da91447515d94fc42bf7b4a77d8f516da2a3325

Sample ID	240616-de2rwawhrc
Target	cf7282260e300c30728d804aba6cd5b0_NeikiAnalytics.exe
SHA256	39a9abfc351c42944b06c38d721267d86b4ced1a219a551cec4a0245c97a7357
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:19

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files