Analysis Overview
SHA256
a0b89fd3825aa4e2f2390e82b48c9981c1a42204d37b09f04cdb7c28ce22cf5a
Threat Level: Known bad
The file 3f11ff89902efa675a6643056ad8b710_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-18 11:31
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 11:31
Reported
2024-06-18 11:34
Platform
win7-20240611-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f11ff89902efa675a6643056ad8b710_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f11ff89902efa675a6643056ad8b710_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f11ff89902efa675a6643056ad8b710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f11ff89902efa675a6643056ad8b710_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 059997defe85608bf168613d0d94ad0b |
| SHA1 | 580dcfa83ad35557ea9d24e85cdbdfbcd2406433 |
| SHA256 | eb01401d809089b25cb2f15dc10f93e708a19ab9ca43b84e9cecde9af3c58986 |
| SHA512 | f1a8c4cd2e9e37a511c1917a09a1bfa11364f0042737c7c9bfa8d4c0b2edd697360b28cf760a44e7cada135ab3cbffb40331f927ad5f195759e362786196fd2f |
\Windows\SysWOW64\omsecor.exe
| MD5 | 544015750fb51e1a7ef693825fe869d2 |
| SHA1 | 9b2f17ac0f5094cd94a95b0573d136d79e74b3b1 |
| SHA256 | a2c2e67f952d714fc2ff7458181b5a3bcc7c9e8c52192d8a93a5e94426563502 |
| SHA512 | 3e3239f67b0f5bccec0d3826e443cac624f5f2f98324224237195deaef4272d669058547404ac69005109effb995e7c68823459354d7b4e7c10da735fe67379a |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 72c4998621148b1f839a855c01638ba4 |
| SHA1 | 03b18b2b7a80fe7073299b359c210111155a3962 |
| SHA256 | e862954c1932fc555cf2ccd4521f17ab2eb6390deff414d05a75d61193196e45 |
| SHA512 | 3c73a63edc730a80feb48db0b8d3a062afd9d8b496af994ac1beff627536324f557cf5f2fb9f0b5bf1e273f2343d697067284628d793e6ff2cc673209622a298 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 11:31
Reported
2024-06-18 11:34
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f11ff89902efa675a6643056ad8b710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f11ff89902efa675a6643056ad8b710_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 059997defe85608bf168613d0d94ad0b |
| SHA1 | 580dcfa83ad35557ea9d24e85cdbdfbcd2406433 |
| SHA256 | eb01401d809089b25cb2f15dc10f93e708a19ab9ca43b84e9cecde9af3c58986 |
| SHA512 | f1a8c4cd2e9e37a511c1917a09a1bfa11364f0042737c7c9bfa8d4c0b2edd697360b28cf760a44e7cada135ab3cbffb40331f927ad5f195759e362786196fd2f |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5ed59f44a1261efae7977f11f0fc36ae |
| SHA1 | d12af861c1d460ae0edade91af468fbd2ca63002 |
| SHA256 | 93369b150df590b7a32837252a1e6b50bd98ec3f3371334f34d95831c416a77b |
| SHA512 | 0aa314d3e855575bd94543d2a69a57326bafd30f9bd5b419757ddbbfe5b669e52b1f5bb7897b4b3d21f2324de10f5333b2dd501b9fc78b49d0b1492b7e5b239c |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bae95439e6c4f28c1075fc4f7956ce96 |
| SHA1 | 0a69a9c940429674178b544d92d033a54df5cfcb |
| SHA256 | 4687d9d2e9394940176aa4e81f0e3b8be441f5585328fe9ce876693c6366e51e |
| SHA512 | 2def59bccb44ff5b6b303fe427a40ca9b05e5c966297b74a36f24069f188795e4962d74e176a8fb0d95c4e4a308ac0c3f7a778e264c3006a5c63dcec37b1f7f6 |