Analysis Overview
SHA256
1aecab2ee4b82a01907500f7ad965293c0ccb0b2d18efeefcdbb96be57752a8b
Threat Level: Known bad
The file 5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-17 07:02
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 07:02
Reported
2024-06-17 07:05
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/1732-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1e5bd319819b500504be0089e51a2a3c |
| SHA1 | 67933e33f67c629647f402b0449b1b7a117544fa |
| SHA256 | b06519cb8c3dbcce1810c6f28e6d3417eb17b82516754e8e3795aac56ce8e2b5 |
| SHA512 | 8dc1c20b2b2a6c0720a8321422b6c9f68fdf2a4932370b868bc05a1fa87217d2073876d4782fa515a2d1401ee8898bc84992fa71aa4d70a3018c139484aa4610 |
memory/1732-8-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2160-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2160-12-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 2cbd037f40c3ca5b1a3a79e249bde495 |
| SHA1 | 9c21ecd1b8a35180b6fc13737f600ae7ae478a28 |
| SHA256 | 48d6e37c8e81b9bf5d913d752ec8e584a533c2bfb8f67ab7028310520c656bd1 |
| SHA512 | 18613f1e891fffc8d9eb1d709f4a8303612c9c517b020afefdedab7326c8d4cfd32bf397820457dbb4533874711e65e14539a16d66788eaa5a54709b36c10db8 |
memory/2160-15-0x00000000003D0000-0x00000000003FB000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | a910597b1a53e0b2e901c426a7c06b0f |
| SHA1 | 1c08aa5f8814cf33e141058531bb57623a3ff71f |
| SHA256 | 6f27dcce41250f465976f353c3d3244502f36751f8cc180693dc9cb24ec3477c |
| SHA512 | ad63973685500d3cbfa52d60b30281d21a1fe4851740a89cc2179716c89dd15400a5361b14f01c1516d00e9b78d71c9801d118fe93b3438898e4366fe5f653d0 |
memory/1440-33-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1752-25-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2160-21-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1440-35-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 07:02
Reported
2024-06-17 07:05
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4364 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4364 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4364 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 2580 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2580 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 2580 wrote to memory of 1644 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e343af0ec0d5a6d63e2a8dbb3120570_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/4364-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1e5bd319819b500504be0089e51a2a3c |
| SHA1 | 67933e33f67c629647f402b0449b1b7a117544fa |
| SHA256 | b06519cb8c3dbcce1810c6f28e6d3417eb17b82516754e8e3795aac56ce8e2b5 |
| SHA512 | 8dc1c20b2b2a6c0720a8321422b6c9f68fdf2a4932370b868bc05a1fa87217d2073876d4782fa515a2d1401ee8898bc84992fa71aa4d70a3018c139484aa4610 |
memory/2580-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4364-5-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2580-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | a356928e6b43fdb83b8a09de7adb223d |
| SHA1 | 9f46790dbb3bd58c27858452b38f52cb4812098d |
| SHA256 | 4d6731e0747d5a8390b784db25645ae35f98cef92d06b9a1cd6552f8da99bf20 |
| SHA512 | 6f4113e7e24676434c9a457c3111539f992e00e8125475bfee470b9cd99a9b926769daa7278d3ea312d692f016707a7acdabacc431cbc8e567928bde5e52cfc6 |
memory/1644-13-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2580-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1644-14-0x0000000000400000-0x000000000042B000-memory.dmp