Analysis Overview

score

10^/10

SHA256

743540e859ccbce3421b3fb1a3df2ec7dac544483488cfd3538233480e01ac75

Threat Level: Known bad

The file 43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 03:54

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 03:54

Reported

2024-06-17 03:56

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2384 wrote to memory of 2256	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 2256	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 2256	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2384 wrote to memory of 2256	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2256 wrote to memory of 2468	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 2468	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 2468	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2256 wrote to memory of 2468	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2468 wrote to memory of 884	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2468 wrote to memory of 884	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2468 wrote to memory of 884	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2468 wrote to memory of 884	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	dda4fc2fb6ce2664f9318565118764d7
SHA1	b3f9382ef95d86b40247b2a1fb7119f51c22a7d0
SHA256	1273a6e4bdb929fd6af9df4eb3c9caef9d886b851987af54f2261facbace7d1f
SHA512	4fce5b02c225fa13b374edabdfb9e62a5b0611c741e803a7d5887aa920b134023996ec165fb3a47018908e07bfcc57ae385950673bf6dc651bd55749fb9474f2

\Windows\SysWOW64\omsecor.exe

MD5	cb0109dffc0aa37d082af6481349bc8f
SHA1	dc78c15662e9311975ba561b605d36b38d9bd818
SHA256	f3f4c5e57da1a899f18b1b659b9849cb12f7d450b7f7aff4cb0662e874a10cf7
SHA512	d8e8db7b627c49943fce83637383918716b9aef385bfeeb14ad6bb2f81bc5580e0389193487c25187b79d4c02bb8f1e2cb56b125b93e29acfec202cd353cbee9

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	2ec8ebb487b5c476c449bbd6babe7e4c
SHA1	875c1ff764496f8bd4707f6a6f721cd4db072c57
SHA256	e946b580321a4d66fd2e9a2024f70ade3ccc93f49149f8c49382268fe2522024
SHA512	411af1c71c0fe0b08bfc8a672990b8ae15ac045d234b2b85e50cc43df9692cbb171dfa5a05963a39e116d10707a5a2920b9a6c653da9580103a7956c3fcff289

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 03:54

Reported

2024-06-17 03:56

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 744 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 744 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 744 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2700 wrote to memory of 4536	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2700 wrote to memory of 4536	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2700 wrote to memory of 4536	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4536 wrote to memory of 4060	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4536 wrote to memory of 4060	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4536 wrote to memory of 4060	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	17.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
NL	23.62.61.129:443	www.bing.com	tcp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	129.61.62.23.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	101.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	88.210.23.2.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	23.236.111.52.in-addr.arpa	udp
US	8.8.8.8:53	25.24.18.2.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	dda4fc2fb6ce2664f9318565118764d7
SHA1	b3f9382ef95d86b40247b2a1fb7119f51c22a7d0
SHA256	1273a6e4bdb929fd6af9df4eb3c9caef9d886b851987af54f2261facbace7d1f
SHA512	4fce5b02c225fa13b374edabdfb9e62a5b0611c741e803a7d5887aa920b134023996ec165fb3a47018908e07bfcc57ae385950673bf6dc651bd55749fb9474f2

C:\Windows\SysWOW64\omsecor.exe

MD5	7ed78f1d5e3afa9d254f29857e60e691
SHA1	5b0e822f913f58d2763a9c21e493cddfb5ebf67c
SHA256	f10d76c37f9bf07edceaf4440bf8ba65a259071be100f164d6f0fc27191b09f5
SHA512	2807e518c6a5459b8f80b9bede00a46fd9aa7f9725f383cc22f5ee10a757bbd95e471f8e8c45f937131c449e6cbbd8a5a104732a3bb3b38f3febbe0e4937030a

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	625a9969c521650aa9d9740946844066
SHA1	bc9a099b2c0f5a828db0c428e034cd7e160a6fd2
SHA256	bd4cc11c77ed90f6ae6a83b2a4e3c63c02c93739809c8161e1bbd12b99f8d4fc
SHA512	0d710f0ec1a340907156059df2da6c982c958f1054fc359b39dce0a8f8b8d82d12695528384ba6c650234becf65dc48b7288122e93e0721088f494b47e5854df

Sample ID	240617-egdnhaxcmk
Target	43cd6a30e7075d628e02080a5354b830_NeikiAnalytics.exe
SHA256	743540e859ccbce3421b3fb1a3df2ec7dac544483488cfd3538233480e01ac75
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:26

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files