Analysis Overview
SHA256
4aac4177e6605e8def14c1757002f72f3abbdb3d92c71fdaa6a17197b4a3ed6a
Threat Level: Known bad
The file 51d4f42871968ec308e9b14159b46400_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-17 05:33
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 05:33
Reported
2024-06-17 05:36
Platform
win7-20231129-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51d4f42871968ec308e9b14159b46400_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51d4f42871968ec308e9b14159b46400_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51d4f42871968ec308e9b14159b46400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51d4f42871968ec308e9b14159b46400_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ff9fd5fa9618da19c0b13365230b5cf9 |
| SHA1 | 2b133b4ff0e2790ee2f494b67148b68677565ffa |
| SHA256 | df34a30f1ef442f969ceea29487b8151f8630f33e5a2329a4a5c4e862f623a1b |
| SHA512 | 7cd886afc1f81957da3b023984388abd9e3f8734cd3f6ef6f149552c8729a159ccfe453eef2d2569c652e9c05cc65a50d790f88e158cf97db3451ecd5d6fe3b9 |
\Windows\SysWOW64\omsecor.exe
| MD5 | a4badd283fe70c66e17cea76eb5b076e |
| SHA1 | 206741babe315d3368e0dbbcb3d18923ac830050 |
| SHA256 | 39654ea913ec57f79aa9f3ffdad5db9a0c18e8b220a28f3a63937e74e08b2102 |
| SHA512 | b1681acd4243c37422287274c3a4a8709fb7fa64da7224295b0a3113ffa9fed175745c82f4cd2add87bbad996240d0e682a7220a1d5cdc2c9f1fe08427065942 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 10f750adbb506be4b670bb6309ebf702 |
| SHA1 | 0f84be3a1d7beed508150867f6767eba61cf946e |
| SHA256 | 129c45bf4407a8e3e02b9eb4adbc42180a02b373102b034240296c13d8b52774 |
| SHA512 | e4f5816a8a14e3780e43ee66f022598b7673c829e5cf828d09040bce08c488ad507c696f669f939a8cd680b7a8f736ab8f4d3894989f9ecb7538a3dd75b57c7a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 05:33
Reported
2024-06-17 05:36
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51d4f42871968ec308e9b14159b46400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51d4f42871968ec308e9b14159b46400_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ff9fd5fa9618da19c0b13365230b5cf9 |
| SHA1 | 2b133b4ff0e2790ee2f494b67148b68677565ffa |
| SHA256 | df34a30f1ef442f969ceea29487b8151f8630f33e5a2329a4a5c4e862f623a1b |
| SHA512 | 7cd886afc1f81957da3b023984388abd9e3f8734cd3f6ef6f149552c8729a159ccfe453eef2d2569c652e9c05cc65a50d790f88e158cf97db3451ecd5d6fe3b9 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | d28f35098b30473f86d4eb579ef36b72 |
| SHA1 | f8c41027605ac9f1de62e588cb1ea790a088427e |
| SHA256 | 81b5fdc3d5f9af11550f157c62c98bf7d74d8353f23864fa1ff820950a4572aa |
| SHA512 | 99300ed8f65e77286b37213d44af9f0ff035a73b6d63077d9a73e0403b743a3ca55f0cc6d46b18a2cb7a9c39d3921af4f3114573d5b5a52f54ca3fde1ecb4ed9 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c48e129ffb5136ecdb031dcb9eea0b26 |
| SHA1 | 7798360ccfc5fd21229c3a08911bb666d65dd50d |
| SHA256 | d242c408332d4e7a402e0fc75a2b64e87e5e41d6c8f23bee2392ac657edab02b |
| SHA512 | dc839ae207088ee594179d07b88ce5ac5c69c39ca6ef05abdbb591ff654287b64014072c676fc82fc7137d5b18acac9265bdaf1a6ea6d229ab2b38dd6fd43676 |