Analysis Overview

score

10^/10

SHA256

77b422134569f4e713b4ff1f444e249a3a9f590d6fca9e98159f3108098bdbeb

Threat Level: Known bad

The file 28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 07:42

Signatures

Neconyd family

neconyd

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 07:42

Reported

2024-06-18 07:44

Platform

win7-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1936 wrote to memory of 2024	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2024	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2024	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1936 wrote to memory of 2024	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2024 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2024 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2024 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2024 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2144 wrote to memory of 1552	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2144 wrote to memory of 1552	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2144 wrote to memory of 1552	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2144 wrote to memory of 1552	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/1936-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1936-9-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	120b4c516b5174e386a9cd8c8345561d
SHA1	695399896d0f2a436c9b0585f93a48e356c7ca78
SHA256	fc86958b61a4a5070c5f825a48378f2725650dcd5e7546f8652c517046790822
SHA512	ff3f8c8ddecd62e5fa0afaca7744b6daf42bf3d76eda324ac5ad7d3230e4b49773d85c0e8a933980491d91c84319e3e7a68b3ad7d33c7178e8e688a4857a6657

memory/2024-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2024-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2024-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2024-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2024-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	3ce3f5a0e31243d782a62f519d4dda03
SHA1	56ab56f727214a9cc30c163de95b18199d71cf55
SHA256	95f639d1bb20f56b27b90174926a778d699a6694a27d4cdce4067aa80e2be440
SHA512	4c12c0273b70c1b823cf84b124c1b8b4ecc22f3f2ef75562adb64684dcbefe5e74d3821877fa1948affeb327a09323fdd78bd7462a07b7fcc74ccce4142a82f3

memory/2024-25-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/2144-36-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2024-32-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	1fe8d484d4311ef8aca5c1253f04b07e
SHA1	9d2d61cc509edb6b7e856ddee67b1e56b54e84f8
SHA256	9e3619bbfe5281081aabe0b2bab6d91d377e03acf6bceacdf95d27d12b3846ce
SHA512	a848c25bee6e18dc383a4710bebda8b6256443a5266ad959de5144fb03d80fc433b4037d55890cbbc0d342c97dc7e3c677370cdf41835278c8c7aa570e340c78

memory/1552-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1552-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1552-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 07:42

Reported

2024-06-18 07:44

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4116 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4116 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4116 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 228 wrote to memory of 4764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 228 wrote to memory of 4764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 228 wrote to memory of 4764	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4764 wrote to memory of 3264	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4764 wrote to memory of 3264	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4764 wrote to memory of 3264	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
BE	2.17.107.129:443	www.bing.com	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	76.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	129.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	35.15.31.184.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	224.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	120b4c516b5174e386a9cd8c8345561d
SHA1	695399896d0f2a436c9b0585f93a48e356c7ca78
SHA256	fc86958b61a4a5070c5f825a48378f2725650dcd5e7546f8652c517046790822
SHA512	ff3f8c8ddecd62e5fa0afaca7744b6daf42bf3d76eda324ac5ad7d3230e4b49773d85c0e8a933980491d91c84319e3e7a68b3ad7d33c7178e8e688a4857a6657

memory/228-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4116-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4116-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/228-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/228-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/228-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/228-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	ab7e45b20ae3d77d6430750979fec018
SHA1	645ecd27db4d2e41978b2aa83492fed43bdc27b2
SHA256	f40690d338f1ddf1dd622a8473e43631bed73eeb4567e5812dbaafc4f84dc122
SHA512	e27921447c8609075c3f9f482ff1f21b5b03045fe79b2877773cb6f4a88dd1c9e8be1b055444f60b3c43af3f562b1e51ef3e8a709bcbd79d51e104913f1c319f

memory/228-20-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4764-23-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	03fb7e5a9c05ee11624833fba5de4b7f
SHA1	fb89d100a93682fce9d5c0c5c73241ffdf6b2d35
SHA256	d7d556aa93b737328152dad03e9dc55eae98e507c38c7b24ba3730a097ad4ba9
SHA512	d3155768bb74add34d1df2fdb675c80dbc1b872838a37a3d97233d417d167508a123cddce5d37227fec6ae58a0e9d8870866d6d0991e4e657ea1cc442dcf2789

memory/3264-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3264-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3264-32-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240618-jjn98stdmh
Target	28573f0fd4bcb787ce26eae330f9c670_NeikiAnalytics.exe
SHA256	77b422134569f4e713b4ff1f444e249a3a9f590d6fca9e98159f3108098bdbeb
Tags	neconyd trojan upx

Malware Analysis Report

2024-09-11 08:20

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files