Analysis Overview
SHA256
69c20e7ed7c22b95e1af2589ba0fa39d670e04b97bdd4bd18df8d8c60803d969
Threat Level: Known bad
The file 239e779fa08d1307537022ce69196160_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-17 00:15
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 00:15
Reported
2024-06-17 00:18
Platform
win7-20240508-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\239e779fa08d1307537022ce69196160_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\239e779fa08d1307537022ce69196160_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\239e779fa08d1307537022ce69196160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\239e779fa08d1307537022ce69196160_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/2028-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1f6eb1f13835effc74419725a4e2764a |
| SHA1 | bd83116e9b944e920616dfeaa33f626feb297640 |
| SHA256 | 9d9c569be987aae6694cd06d6ba9e77a7c87dc28d6723496f3ad4ad3ebfee786 |
| SHA512 | fed07cfd325763af9c3b495eb0f92a6bb1b857c917e50cf87ef192957205fb1275d5b7946b755ae9ddfdebc09f2129020ce5843cb09ecaaa61b9a209f642bc05 |
memory/2260-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2028-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2260-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | fe4b020aa41a99d5c3e5249d01d4d29b |
| SHA1 | 84c8e25e3adca6441ee09e98668e9f1ba3b95798 |
| SHA256 | cf61b02d27abedb08d5cabd6c6c70f578477d5441ea6567e554c2cae43046525 |
| SHA512 | 6acd9c2a739540b915c0127d0af468526271f55cd30156a0a23815bfdf8b70b8bfa9bd0b6b1f8ac30639bed7b27acc92058cdde41b87b57eb4fdb9e8ad2a5fea |
memory/2260-15-0x0000000000300000-0x000000000032B000-memory.dmp
memory/2260-21-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 99fd808e7cc43a598fae262b99c44e4d |
| SHA1 | 29c1db175f29218f8747959ab1a0c8acb1db0423 |
| SHA256 | 316259d3d247b39b8c62f3a9fe10ea7333ebe8409f4486985f2d0d45f0601b4b |
| SHA512 | c0c839d9f01b948c880ea48a59e376eea84fb283bac0c5d759a37b73dba88a6fe2682a822dac96c8713a6395dcb76aa6349090ab0f52aeaf22db9df923c79487 |
memory/2160-32-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2160-31-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1484-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1484-36-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 00:15
Reported
2024-06-17 00:18
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\239e779fa08d1307537022ce69196160_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\239e779fa08d1307537022ce69196160_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/1256-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1384-4-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1f6eb1f13835effc74419725a4e2764a |
| SHA1 | bd83116e9b944e920616dfeaa33f626feb297640 |
| SHA256 | 9d9c569be987aae6694cd06d6ba9e77a7c87dc28d6723496f3ad4ad3ebfee786 |
| SHA512 | fed07cfd325763af9c3b495eb0f92a6bb1b857c917e50cf87ef192957205fb1275d5b7946b755ae9ddfdebc09f2129020ce5843cb09ecaaa61b9a209f642bc05 |
memory/1256-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1384-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 30d81a3ba087e0f2e6fac33c4552a7da |
| SHA1 | 069062f1ddb0993da035c438707a2d04418be88c |
| SHA256 | bcc57d6057df7b7068663a64d60515c97c82da50fad8764b537c8c3631fd0cef |
| SHA512 | 846b2fdc90e808109f17e6451831b51e90650c362efd0a19832c713d50af25284d3fd214f49f9563fde5f00557a562ee0d79be79d73700f8b92dc03ad94ac920 |
memory/1384-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2036-12-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e1cb0e3dd8d8ecf5b506ee0276df2385 |
| SHA1 | e62f20a8665f4bc43b854286d69a2013506804d4 |
| SHA256 | de5bead57c883661ddba9f9ea0007b7f4307611073a15ecd7552fe399857c3a7 |
| SHA512 | aabc30f8e5e363b00ebc816c985cc50b5e0845d89115ea1b6e17aaffa7bbe18eaa2588bf71f3ffa8d9118fd7760cdbb9d7c5bb60a4f1f05ca4d45c69c439328d |
memory/2036-16-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3080-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3080-20-0x0000000000400000-0x000000000042B000-memory.dmp