Analysis Overview
SHA256
b9b8e7dca52ad0f7cf478328ee5ec8e888d5f31ade3e02b9629fa9b10b56b30f
Threat Level: Known bad
The file 095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-17 22:21
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 22:21
Reported
2024-06-17 22:24
Platform
win7-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2304-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 97aa3594884ae32e74b267b8106107f2 |
| SHA1 | 57ac394cfa2fded80de795299fbfac937ebf0a77 |
| SHA256 | e067645250b5adc00f5975f5bd10e235134f80a4a6412f0073208c053c11a2f5 |
| SHA512 | 17320f5cb5045ef56120b2d8aac29582e543c8de9b7f58942087b7cbbd49f18c800e78d24c0c3e8dd49f4dea3c646b14c9327ca734d8287d1e3e31847aefdd27 |
memory/1752-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2304-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1752-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1752-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1752-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 2c5f7aa2a3f41cc85a804a6056431d52 |
| SHA1 | 03dbaa70e0e06f506f325b758103ab3765ea32f6 |
| SHA256 | 06ba364932e1c9cab9a60645fbf1517d150d63adcf95d6edd60f43aa6f5ab141 |
| SHA512 | 0d60353c06ee941c29e198232c100018b4888cbcd60e54c1e69ce396b4d30646decfbdbf1afcc0b6a4cab0e55df96716b755756b7db7f07d0e926d8d3663bd04 |
memory/1752-25-0x0000000000350000-0x000000000037D000-memory.dmp
memory/1596-36-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1752-35-0x0000000000350000-0x000000000037D000-memory.dmp
memory/1752-34-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1596-37-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1596-40-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 22:21
Reported
2024-06-17 22:24
Platform
win10v2004-20240611-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1552 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1552 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1552 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 220 wrote to memory of 4016 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 220 wrote to memory of 4016 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 220 wrote to memory of 4016 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\095ba48065b51d59794c8b280f63f790_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| BE | 88.221.83.192:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.83.221.88.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1552-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1552-6-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 97aa3594884ae32e74b267b8106107f2 |
| SHA1 | 57ac394cfa2fded80de795299fbfac937ebf0a77 |
| SHA256 | e067645250b5adc00f5975f5bd10e235134f80a4a6412f0073208c053c11a2f5 |
| SHA512 | 17320f5cb5045ef56120b2d8aac29582e543c8de9b7f58942087b7cbbd49f18c800e78d24c0c3e8dd49f4dea3c646b14c9327ca734d8287d1e3e31847aefdd27 |
memory/220-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/220-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/220-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/220-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/220-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/220-20-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d4577764bbc94d261ebf13f87ec63e39 |
| SHA1 | 5b0b8720a4af2808848bfb2ff067d525160fb597 |
| SHA256 | 0c75394e9efeb7cf0cf45d05dbaefa50cfd187cb7e9af6c4fcd340d5f8e03dfa |
| SHA512 | 4c1083176230c32d1256cd6cb3abcbcd5d29c31a9e352be30455dc9f6e4cd77d5338edd6d0194a423190a0951583485e9cab9a28e8ae63a940218f07d1e54964 |
memory/4016-22-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4016-23-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4016-26-0x0000000000400000-0x000000000042D000-memory.dmp