Analysis Overview

score

10^/10

SHA256

0d896e1e34b5c9f76d8e7280e0cacfb5b124d93db8aa426dab65a9b1fd316c49

Threat Level: Known bad

The file 69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 08:24

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 08:24

Reported

2024-06-17 08:27

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1940 wrote to memory of 2168	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 2168	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 2168	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1940 wrote to memory of 2168	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2168 wrote to memory of 2584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2168 wrote to memory of 2584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2168 wrote to memory of 2584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2168 wrote to memory of 2584	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2584 wrote to memory of 1988	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2584 wrote to memory of 1988	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2584 wrote to memory of 1988	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2584 wrote to memory of 1988	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	2c2dc0fdc1dd901229a7b3722ac801c6
SHA1	0d6ae1dc959de3d1fb16ebd1a3cd4de900be1cea
SHA256	0e06376925699780e5f8fde5dafa03955688b71d69ba3842ec1529db38ff96b6
SHA512	2c55fea885c42787b663a8f94e07a7a398fb2465cb51a1afce666d6b3f0e554b14e6a9e5eb2593db51eccf9b85956b889cbe2aacc3f7736cb2ca46aede2de50f

\Windows\SysWOW64\omsecor.exe

MD5	68a67d6a11cfe0dc9db6975e22b3c1ba
SHA1	f46527be5777ec37e0564c6019d910cd00eb8315
SHA256	f308c97bcb68b0ebcb2356e9e3bc8413f482e5da1d8348ec8327c6bfdbce052a
SHA512	9d1e70642f21cde1eb05f5d01d5124f39ea31a5c55db4731ee814fdfcde30f382a60b369075f9675efb807d2f1a1ef8d58f0712ba9bead282b86c28068bcb4bd

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	c3e1d5a6204c7dc61699e243ac011127
SHA1	7ed5c628460a55acb345ae9bfbdf79fb06ee0f5f
SHA256	2029e0a115d031d4caff9d7f1a7c709272b253861209cb5e07c1d5e31c4577b7
SHA512	d43c882d7395159f0da205f8a3f144af3a326658679486df4f47941c4abe4c1682a49bbc81aa258e251decd87d6d8854555a123070652651ca5a3100d03e8a3d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 08:24

Reported

2024-06-17 08:27

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4944 wrote to memory of 1960	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4944 wrote to memory of 1960	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4944 wrote to memory of 1960	N/A	C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1960 wrote to memory of 1492	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1960 wrote to memory of 1492	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1960 wrote to memory of 1492	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1492 wrote to memory of 3476	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 3476	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1492 wrote to memory of 3476	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.107:443	www.bing.com	tcp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	107.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	2c2dc0fdc1dd901229a7b3722ac801c6
SHA1	0d6ae1dc959de3d1fb16ebd1a3cd4de900be1cea
SHA256	0e06376925699780e5f8fde5dafa03955688b71d69ba3842ec1529db38ff96b6
SHA512	2c55fea885c42787b663a8f94e07a7a398fb2465cb51a1afce666d6b3f0e554b14e6a9e5eb2593db51eccf9b85956b889cbe2aacc3f7736cb2ca46aede2de50f

C:\Windows\SysWOW64\omsecor.exe

MD5	68568fe56ed49a50d5facfa6894c09db
SHA1	9f02f5db47aedd19a8099d43e35b37f1885a1642
SHA256	3a26945ef2f1b55fe23996c8da3d9b1c54e166b11c10b39245643850105cdaa9
SHA512	cb05ab2f6246ad4b390716de9a06f08a55a8a054994d20a5d923b6f3fcffb26b0dfa5e3759b7004b7bb2b63810368cfe242db717c68a47b61f22d5d63033e66c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	f4356743998163d97649e79086bb0ff5
SHA1	684e47d36206d04a2a541ebd07a60cf942172959
SHA256	8a1b397572cc02ab8956b1b4fc0372d7e51818856e42ea2984d29dda1165c843
SHA512	633e08681a7182687a6bc0e23221394cc23dc19862949c3949640ff822b5828705f2fc73864f33f4699ed5164a86215253f9375178ef467d4aa7dac1256015ec

Sample ID	240617-kaz6tawerk
Target	69ea3a90daa51e9572e72498128b7150_NeikiAnalytics.exe
SHA256	0d896e1e34b5c9f76d8e7280e0cacfb5b124d93db8aa426dab65a9b1fd316c49
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:25

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files