Analysis Overview
SHA256
eed1278f56dbd46ebb9aba4e5443972d62b63d9bc6e90a5cbd1bda7be0c45593
Threat Level: Known bad
The file 2cebb2677c2499426ed67ac20b291950_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-17 01:22
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 01:22
Reported
2024-06-17 01:24
Platform
win7-20240611-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2cebb2677c2499426ed67ac20b291950_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2cebb2677c2499426ed67ac20b291950_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2cebb2677c2499426ed67ac20b291950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2cebb2677c2499426ed67ac20b291950_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2104-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2104-8-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a893173b10e6ebc367c1f379fb7d0009 |
| SHA1 | 46fac9659bcfd64820e7c6900afdbc1da6f9800f |
| SHA256 | 7fc8de45f8cd59acfbea02e2f0093dd3dbc313b6a5a4d0cf7f8525388c82791d |
| SHA512 | ceb18cb18b9a7da717d1fe3f637c9e2265fc0609c6fd2a515f2141fcd6a512f8fb03fa097050110aaff808ab930eeb8e0c6353ad87221b9dd4a80aff17d24739 |
memory/1308-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1308-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 6379a13c5b839672ca3ef162ea9e7386 |
| SHA1 | d5d098e0948005e9097d32f2ee85e1e007188c77 |
| SHA256 | 96aca73c761e51d55b9e858e2f7ab44cb045a84f25c79e78e5d7ed5b7923e33c |
| SHA512 | 6404dbba825819ce5b378c9b5e75fb8d673e4d380f0d6c6df2418c22c6b19ac6c249ef59f01ac0a33b5aff39251842c854ecb62518c5e892fac4186443b4e7ee |
memory/1308-17-0x00000000002C0000-0x00000000002EA000-memory.dmp
memory/1308-24-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 21ff42031abdb55ec445570baef26bc2 |
| SHA1 | 81aaa4e5cfd201012088d6886fb2847a123986c5 |
| SHA256 | d021311955011eeab9517955e9346c1a869d55bd551d8be38e04ac91fb7bb856 |
| SHA512 | 0c651b8a0f911fa798ae456ad2e3e75877959939110bb376776d0284fa6341d11f0865ceade34c202e0af1bd38e39ad63494b14d2a08a2d7d59c01403a1be6fa |
memory/2192-29-0x0000000000430000-0x000000000045A000-memory.dmp
memory/2192-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1684-37-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 01:22
Reported
2024-06-17 01:24
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
142s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2cebb2677c2499426ed67ac20b291950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2cebb2677c2499426ed67ac20b291950_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/1664-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a893173b10e6ebc367c1f379fb7d0009 |
| SHA1 | 46fac9659bcfd64820e7c6900afdbc1da6f9800f |
| SHA256 | 7fc8de45f8cd59acfbea02e2f0093dd3dbc313b6a5a4d0cf7f8525388c82791d |
| SHA512 | ceb18cb18b9a7da717d1fe3f637c9e2265fc0609c6fd2a515f2141fcd6a512f8fb03fa097050110aaff808ab930eeb8e0c6353ad87221b9dd4a80aff17d24739 |
memory/1664-4-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3780-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3780-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | caf3cc837b0fe8b122ed4b78dbd2148b |
| SHA1 | a2b2053cda32fddde4176cfd524bc41cc3834d57 |
| SHA256 | 200c380a71953a5c1d16633a097ac46e72d3a8fd166e174ba5a841ca18390e3b |
| SHA512 | abfc62e89e83cdd1393fae6d68b1a1f5d2ed23dd4164d60c69dd1d3d434e09fb46cbfcaadfbace5d3375a308559574c298f57633d4a17668b6c6b7505e215970 |
memory/3780-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4328-13-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e3eb669804d33366da278c6ec816f93d |
| SHA1 | 5c0cd05b867f85e42050ead7520013cfdadcf9b4 |
| SHA256 | a5853ef0301342f5261a51ebec01354f0e20775de758888da8178ed34ad79a1e |
| SHA512 | 888c64e40fd930f05b21305237b98e467433f0ae8881ac8b00894bbd4b6e42ebb58d85ed6ce78fcd2f172a0633508d7de0d063b86b1781ee5f72bd314a27c269 |
memory/4328-17-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2592-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2592-20-0x0000000000400000-0x000000000042A000-memory.dmp