Analysis Overview
SHA256
b7f92dfc5bb6c71113a34188c45fdfb5513adf3bca1835517e03db0625cc6396
Threat Level: Known bad
The file 23c979a19abaac98781f56790d10b050_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-17 00:18
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 00:18
Reported
2024-06-17 00:20
Platform
win7-20240221-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23c979a19abaac98781f56790d10b050_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23c979a19abaac98781f56790d10b050_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23c979a19abaac98781f56790d10b050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23c979a19abaac98781f56790d10b050_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2684-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3762577af372a54aeff02b11753692c8 |
| SHA1 | c96d6c08e8179b798904ef40b6c4ca4ba6797427 |
| SHA256 | f02dd1133c21a2b424a3e299a24189f23f766d35638402f7f7a46c35a0a3fd5e |
| SHA512 | decafbab8893a49c136b247908ed9b36212fbce4e7edf0d7cc342628adc920cb9de1dac5cb78f847bd848b2b0d1c96ec1a5eaa4ffec6e06eae19437be1dbcbf3 |
memory/2684-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2840-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2840-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2840-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2840-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2840-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | b7f2aa13e81efd58814c78b7cb5f7f9b |
| SHA1 | 8722167efc1688898dec99b01ec583d772ed7e78 |
| SHA256 | 281b6c66213d1709c3f4c121ddd4917821c9fcce1a2e8501131a32305c697e8f |
| SHA512 | 81631c135481565e89475ced63121c0ebf3c5d8130c73ea056bc5951b5fd885e6a338ed0f4eb2658fd98714cf210f75c0f135fe7a139995532cad17a4efeadd3 |
memory/2840-25-0x0000000000280000-0x00000000002AD000-memory.dmp
memory/2840-32-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 355f9bc25eddce3463bc8cb18324bf27 |
| SHA1 | a33fa392877979eb386afe4be1dec966c20416aa |
| SHA256 | f72a02f19e5302b011c3ec8b4b95f58945b048efb7341ea754693312810d1f24 |
| SHA512 | 171d2f71d595a1c9277f01ffff2509719bf0aca30959efb6947ed0af47d72975324cf49f5898eabd53ac0a58c0108c575dec979579d210fbdae9e34b178e1f1a |
memory/2876-43-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2000-45-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2000-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2000-50-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 00:18
Reported
2024-06-17 00:20
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23c979a19abaac98781f56790d10b050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\23c979a19abaac98781f56790d10b050_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.115:443 | www.bing.com | tcp |
| BE | 2.17.107.115:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 115.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/764-1-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3762577af372a54aeff02b11753692c8 |
| SHA1 | c96d6c08e8179b798904ef40b6c4ca4ba6797427 |
| SHA256 | f02dd1133c21a2b424a3e299a24189f23f766d35638402f7f7a46c35a0a3fd5e |
| SHA512 | decafbab8893a49c136b247908ed9b36212fbce4e7edf0d7cc342628adc920cb9de1dac5cb78f847bd848b2b0d1c96ec1a5eaa4ffec6e06eae19437be1dbcbf3 |
memory/2232-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2232-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2232-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2232-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2232-14-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 7428682b8c4b77cbc2365afc7834ef16 |
| SHA1 | 067d5b024898ec6e58850cc48557ecd3b353c11d |
| SHA256 | 08f254bc14a56c56cad478bde3bae1fd19af48c4f5dd00e1a2b93d54c5acc478 |
| SHA512 | 86fb001900d0ce5d304e40f003e9ce0d44dfe202ceb2413f029bccae33dd80574a83cfb1864128189c2dad8eafe31ff9d0d5c36b85e5f1c200220d78d17c18f4 |
memory/2232-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3964-22-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 129454ac2cbef728bbc1085c2ed74634 |
| SHA1 | 5d7f2f0ce370c47b07d24de8e9166d8b4bdb4777 |
| SHA256 | 2b6ea40d69802f916edbe061c0282c04405a420ba93965dc2acc6ce7396b3a26 |
| SHA512 | 0e8f878635143367d249faaa492a53e1dbb8aeb45f9e331ff707d809235bbb16fd78aa2612ae472bc67f1cf7317138a1aec92789fed0fe818354f58764769831 |
memory/1972-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1972-28-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1972-31-0x0000000000400000-0x000000000042D000-memory.dmp