Malware Analysis Report

2024-09-11 08:18

Sample ID 240616-hdjxwsxcmr
Target dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe
SHA256 8717b7bd14b5e66599a75121ba599b697c02a903e0f251a3dfd8ee164cb6695d
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8717b7bd14b5e66599a75121ba599b697c02a903e0f251a3dfd8ee164cb6695d

Threat Level: Known bad

The file dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 06:37

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 06:37

Reported

2024-06-16 06:39

Platform

win7-20231129-en

Max time kernel

120s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1068 wrote to memory of 1168 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1068 wrote to memory of 1168 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1068 wrote to memory of 1168 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1068 wrote to memory of 1168 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7e4a04ac97b9414cedbc6d9fbba96713
SHA1 e62ba70e561d72c7d1007f2782501d27a88aebaf
SHA256 bd4306c9508103cb665bcb05cd659d5a5d62b3084863ec8c513b5c55cfdc2dbd
SHA512 159639c40777d6d85927c907529203ce77fc1c88054fc5ac99828134694f77ef0434080aa390fc985a9649be048db77324af2114f583718948e0c6e69fc79294

\Windows\SysWOW64\omsecor.exe

MD5 07cc71c15abf37fc957fe0635d62ab7e
SHA1 74b9b6e3daa6f2ec2fbef9f85ee6cd972ec8ef99
SHA256 30d8e29f3342387e32190c0d1bb0e26ffe8d5ab6d874c00b4629be5340ae0577
SHA512 25784c222d7c8965740ed9e5ff9a8da2c339ef9c1c68f0ea5989602b1b368f8d0af95447736e7976e438d9bf5b832341e93c6e237d12e22bf5afd04be0465594

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 dcc511a84df9fcb38eb6f8199490ecf3
SHA1 26d82f2ef3e60fb943bac16b7c49fc4026e90e91
SHA256 f37851ef99218e9edba5df1f2f85c4b9605d8d642af65ab0ef2bddc424c9383a
SHA512 0e68997ad6c73b6dddaad75d1b2aa39973005945876bf2cdfec5e92f5683da37aae424db1bbf6505716edcd299c7a053f3ff9396bc8beeba49cae7d26339b11a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 06:37

Reported

2024-06-16 06:39

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4464 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4464 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4412 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4412 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4412 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3608 wrote to memory of 2940 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3608 wrote to memory of 2940 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3608 wrote to memory of 2940 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\dd8338a66afaf6a27b419c321862f960_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 7e4a04ac97b9414cedbc6d9fbba96713
SHA1 e62ba70e561d72c7d1007f2782501d27a88aebaf
SHA256 bd4306c9508103cb665bcb05cd659d5a5d62b3084863ec8c513b5c55cfdc2dbd
SHA512 159639c40777d6d85927c907529203ce77fc1c88054fc5ac99828134694f77ef0434080aa390fc985a9649be048db77324af2114f583718948e0c6e69fc79294

C:\Windows\SysWOW64\omsecor.exe

MD5 ec7f4426b012c876e0bbf6120c24eab0
SHA1 2d010d8b248ea526ed089e794769d625ca5a7594
SHA256 29f222f59b2d86fa6f9415735c752a606ef9b2c5c763ca4859c1c8280c77a32f
SHA512 3525b681d643428c1cbb6a5fe557a926efeb678f1fbccb3984b4cc0161f2602ef990a0106c12481e9264c869781e40b1d193b18c59bea7b92a35a3dc1d3637a4

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 c0a1baf1105d8531aa4c900cb30c9cc3
SHA1 59941db4e284b0ffa437b3a8ab87228d90caa71f
SHA256 290c8fbaa9057df0b53ccae65c8a31a3b21955e387e239760f3103e21102dd63
SHA512 087be0b9c83c92686e2ea50d8dd6150472db1c17598e9161429bd20dbd2c99892c619c952208f8bef9641cb6791dfcc3580403d1077d73100e22a3e5100aa384