Analysis Overview
SHA256
29496f78da2cdad594a897aa6a124e3786f61641b14fd176525d3e4c415ef89f
Threat Level: Known bad
The file 6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-17 09:01
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 09:01
Reported
2024-06-17 09:04
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1244 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1244 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1244 wrote to memory of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4876 wrote to memory of 3344 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4876 wrote to memory of 3344 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4876 wrote to memory of 3344 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| BE | 88.221.83.209:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/1244-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0f679adf1131f910c7f6cc4b59fa0ffd |
| SHA1 | 61690019a301a391473ba3fe740ab8d93f26d215 |
| SHA256 | f8ced4a5433797196ab24dddfb9041acc966a61dc07932123198c139c59b6f47 |
| SHA512 | 55b31564a1e084fe3d5db19e7da6efa7c2a073e0be0011d9ae465dad2b65fb4cc705eef1b41689dd60f9e664bd6ced2f43dfd8693a191fe4bbd42b8a7f1deaa2 |
memory/4876-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1244-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4876-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4876-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4876-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4876-15-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 93de5a36768c53e275aba84c15effc06 |
| SHA1 | b3fec75ed9edb853ae7a033fcba684ec26f9e638 |
| SHA256 | cd832d5e9cf07f002030df048876094f1fad499e64e278f4a6129ebee0ede729 |
| SHA512 | 323edf3a3e1a9266f203b2c73aea4a252ae2eae910f635a96f0e71d95af6eb92cd8d2a481649d293a8349ac519870084aea35e58ac17ae5fc689d28d9fc29de3 |
memory/3344-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4876-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3344-23-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3344-26-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 09:01
Reported
2024-06-17 09:04
Platform
win7-20240611-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f7863bda2d246b5d0de93517963a050_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/1900-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0f679adf1131f910c7f6cc4b59fa0ffd |
| SHA1 | 61690019a301a391473ba3fe740ab8d93f26d215 |
| SHA256 | f8ced4a5433797196ab24dddfb9041acc966a61dc07932123198c139c59b6f47 |
| SHA512 | 55b31564a1e084fe3d5db19e7da6efa7c2a073e0be0011d9ae465dad2b65fb4cc705eef1b41689dd60f9e664bd6ced2f43dfd8693a191fe4bbd42b8a7f1deaa2 |
memory/1900-10-0x0000000000220000-0x000000000024D000-memory.dmp
memory/1900-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2784-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1900-9-0x0000000000220000-0x000000000024D000-memory.dmp
memory/2784-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2784-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2784-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2784-24-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 4f80d2f30c87e72126b8c600f5a69fd7 |
| SHA1 | 9f67be1bbddab22a301d83b3be3dff26a007cfa9 |
| SHA256 | 906400107a05efed372ae96a05889c2272c1ca3100ca2162830e7d51f5b0e040 |
| SHA512 | 72051acf84c16927fccaa3a65e5dd5ef7ba9475545f0dbf9203ce572bf5e560968bc7afc6ac61024043fa375338de5649f377ada803721370909124ec9ace04a |
memory/2784-27-0x0000000002360000-0x000000000238D000-memory.dmp
memory/2784-34-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2160-36-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8e35b2bb3a5fb1c1b17f6e772c5b12a5 |
| SHA1 | b7b62e1b5079cc4d05eb34565aad381dd8de494d |
| SHA256 | 03abe73e8ba9336e99eb4340a77cfc182afa1579b2d41cdb9bca9a3fdfa8494d |
| SHA512 | d73b504b7fb5ac52571e0a2d0f6fc6ebd5fa470ba814bd428456c4711f20e6101f4a57625a34a943117b8a575875e5b2ef7c407c965ddffa80c9be7c1157d180 |
memory/1128-48-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2160-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1128-50-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1128-53-0x0000000000400000-0x000000000042D000-memory.dmp