Malware Analysis Report

2024-09-11 08:30

Sample ID 240619-ecfx3atble
Target 8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe
SHA256 74c2afc0c08175400ed5eb53c52b2ffd57355695856e7e7fea12eb53d1a50eda
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74c2afc0c08175400ed5eb53c52b2ffd57355695856e7e7fea12eb53d1a50eda

Threat Level: Known bad

The file 8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 03:47

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 03:47

Reported

2024-06-19 03:50

Platform

win7-20231129-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2364 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2328 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2328 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2328 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2328 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1980 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1980 wrote to memory of 1668 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/2364-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2364-9-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a4e7d7588a7b6b8b8747638e0905a355
SHA1 5c97a282d8ce183e20ae464f0d72c45940b15021
SHA256 65d59029f666f7c566a4c704834a4b2a4989b10ecab4ad7619fd5af15c4b6804
SHA512 4d12e194b9706a4ba6911d33488a779351a38291dfc96c0833a5a785a974bc6045e378cd4b2395a577224f4503e39a681277f779d0074b65277ef98c70c19b43

memory/2328-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2328-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2328-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2328-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 52932fb7568fb722e217040e5e80b6d8
SHA1 f6f0f2d062912093fa2ba69cdc6e32bb364242d4
SHA256 dce35c05a37b5278a10f188004035474730eda7b63f9a99025d1a5057cdb502e
SHA512 272340ad192e2e572ca83570ab6096badf40b4633dc58535b54f83d4dd2bdb92631bd6bc76d399f76857b54e142f8705e1a8e764e1efdc8cf695b644a779c9e8

memory/2328-26-0x00000000002C0000-0x00000000002ED000-memory.dmp

memory/2328-32-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1980-36-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 64b3e88147a747d24bf9b7344d92955c
SHA1 57a59ebd42e4a626dfbf3529a77593c7b20db4c8
SHA256 78d8251703f12eff1c6047a9a943f83116a57dafea3dbfad91841408e9669909
SHA512 c36dc179178009bf7954eab50e9d23f1dd52995c3904a9b7d02868df2c45803917e7aa450b3525b12e939166869cff299a92a47943505157124482a43b989a0e

memory/1668-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1668-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1668-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 03:47

Reported

2024-06-19 03:50

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 916 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 916 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1668 wrote to memory of 2088 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 2088 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1668 wrote to memory of 2088 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8107d0083cb54b76cf1abdf65b8c7ab0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

memory/916-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a4e7d7588a7b6b8b8747638e0905a355
SHA1 5c97a282d8ce183e20ae464f0d72c45940b15021
SHA256 65d59029f666f7c566a4c704834a4b2a4989b10ecab4ad7619fd5af15c4b6804
SHA512 4d12e194b9706a4ba6911d33488a779351a38291dfc96c0833a5a785a974bc6045e378cd4b2395a577224f4503e39a681277f779d0074b65277ef98c70c19b43

memory/916-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1660-13-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 89f1116f83ffcce80c10e57dd0904f33
SHA1 a43d24839f782b394d7b98193e379dba413d5f7f
SHA256 c5d885c32290445141738082217345a80f6d46ce9e0cd29eb785ae058fd17084
SHA512 6212b94233f36bc3101c8eeb164d59fe9615a4c0b4ee448b7e78c1f1e9b02cd9ceae230089fca52514e70432ab66b9b601084e28bd343fadb939111648909d7b

memory/1660-18-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1668-19-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 512212d69328e5b06a9c04ca7a769e67
SHA1 15f59a1d6bf8dd16da2675f038e69149bf5137e8
SHA256 5f788791163f31d738cf623525e7e7972adbf7fb7dec82f7af20b0a32a368ba7
SHA512 13102782d016e9ca1e94034df15d5809e07d42c1939d9d54c5076bf81127c46701f8572a32d886a7115ca7bd27ff354d2c86272b5ce66ff92aa9d2d91abb404e

memory/1668-24-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2088-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2088-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2088-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2088-31-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2088-33-0x0000000000400000-0x000000000042D000-memory.dmp