Malware Analysis Report

2024-09-11 08:19

Sample ID 240617-q7y8nstdra
Target 9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe
SHA256 1285a2d8bcdde517b7b583ab4b895b0eb8e30740d654a2c4b3729164f7360e73
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1285a2d8bcdde517b7b583ab4b895b0eb8e30740d654a2c4b3729164f7360e73

Threat Level: Known bad

The file 9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 13:54

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 13:54

Reported

2024-06-17 13:57

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
File opened for modification C:\Windows\SysWOW64\merocz.xc6 C:\Windows\SysWOW64\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4068 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4068 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3220 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3220 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 3220 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0c2f241727d3a66b1e1e5fee21c4bc56
SHA1 e6d7fe7d27a88d0efe296a6670a4ace694e98c10
SHA256 5aad333c8904a512e071e93513b686110bd32920851e03b51f0bd25cc1215126
SHA512 bab215f310d336b39369e9330f886eb0487bec1d38e10e85103d434094de66bf6b1b50e96cdade1b3000cdc8ccf7d6238365100514c69b1c4e0a864f1d0ca202

C:\Windows\SysWOW64\omsecor.exe

MD5 15a642006330ddbf762fe1b2e1a23d62
SHA1 04c79996791bff9af72955897c82d7a320636df3
SHA256 dcad8d850eb0f7def4ded45cdeeef7e97d217da4a9a2e3bfdcddc818f61503af
SHA512 a0358a6dd04044e82f86552d691a4c7a5ecd135b70fa2f3ee4ffe1770398852b112e922a602257c4bb7f22c116dc064455edaa29b6aa0c2d1d643abbed1986ea

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 13:54

Reported

2024-06-17 13:57

Platform

win7-20240611-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2560 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2560 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2560 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2216 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2216 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2216 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2216 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 868 wrote to memory of 1604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 868 wrote to memory of 1604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 868 wrote to memory of 1604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 868 wrote to memory of 1604 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9a6342dabe89cac1ddc647c5b3c41550_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0c2f241727d3a66b1e1e5fee21c4bc56
SHA1 e6d7fe7d27a88d0efe296a6670a4ace694e98c10
SHA256 5aad333c8904a512e071e93513b686110bd32920851e03b51f0bd25cc1215126
SHA512 bab215f310d336b39369e9330f886eb0487bec1d38e10e85103d434094de66bf6b1b50e96cdade1b3000cdc8ccf7d6238365100514c69b1c4e0a864f1d0ca202

\Windows\SysWOW64\omsecor.exe

MD5 e6f058d91ca0c1e390a1ee18c98f003a
SHA1 c7f838ae74bd61cbd9175efb83a11451bb1a3897
SHA256 65798f1b279fd50070242293c6fd416c8ba84165de85cb0c25f160fe68745046
SHA512 69dc12a2267be65efb347760b04561456958cfceb7229fcc029eb132e8b803ff5bce0e63bd36ada82f5bbdf6eb9f1fb869ff4cda7f47d7ee7b44693d73cb17f2

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 82e432dc7abddd3efb872a245132bd77
SHA1 d441da4f9845c7d860c1df1d12ab051f604b7c61
SHA256 58c66c04088acfa7956a640e81ebc6e065094c929c8b503a5d2a42bbc86eb669
SHA512 103f1a31b4eaf473550e672bed96b8d500074f6fc323118de34fdc5c233791245196b40f6eb1a89d750dbbb05817e1740192a41d7ecfe1977a9d686ea4760aa1