Analysis Overview
SHA256
be13331765ec008eecbcbbec51a273b12688a1e29ade766c24e6fbeac7eecd70
Threat Level: Known bad
The file 8125c7c75dc79a9e8f1958379045be80_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-19 03:48
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 03:48
Reported
2024-06-19 03:50
Platform
win7-20231129-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8125c7c75dc79a9e8f1958379045be80_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8125c7c75dc79a9e8f1958379045be80_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8125c7c75dc79a9e8f1958379045be80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8125c7c75dc79a9e8f1958379045be80_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 932de02590128e98ae401ad177539c21 |
| SHA1 | caf0fd4b80b972e84a7d9ec8010e7299b61e78f3 |
| SHA256 | b5926f2168127f24275f3a730ff1c04bf592817a260c7ae9e5f2702af82f339d |
| SHA512 | 101de7d4ad3f1dbe4f90802d59961d279919a8d08be0e734620bc4b55fd04d37ff4a817e81a8878f9c4378917099f63a215ce1cf3863a2942dbe0e2392396dab |
\Windows\SysWOW64\omsecor.exe
| MD5 | e98f317112b9a3f0c6e5aa7dfcd00aa1 |
| SHA1 | 9816f5108d8a6d193e2882b16000a75a0b0b4ede |
| SHA256 | 364928ec7aa876140c0060e026c69a963d53b38f91d76ef37f2572b2442e4152 |
| SHA512 | a6b70a9eb8b8f9b2cb23fde81df858ae2c4bd6e963f30b8849b6b3a87a8082cf453eb974775b91f2c7fe8f067fef9fed632a7e70b9858d66dbc98d5fdd89f086 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 8dda0f80b3752b0163af1ae93dafd2f5 |
| SHA1 | dfdde7c058ebc32bb9aef496d3ee624f1d3171a3 |
| SHA256 | 70659d11733aa369f0eee14adae95b166a7fc7c7fbe6155069bfb4abe3b5ff25 |
| SHA512 | 75e7dfb65856bbc923640a4154a6e403357a5d169e67a4878513baa3aad3045ac676b74ec6ad9ffdc109283917c2dfd859fe45ca24aad2746d3b62a30e352b24 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 03:48
Reported
2024-06-19 03:50
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8125c7c75dc79a9e8f1958379045be80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8125c7c75dc79a9e8f1958379045be80_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 932de02590128e98ae401ad177539c21 |
| SHA1 | caf0fd4b80b972e84a7d9ec8010e7299b61e78f3 |
| SHA256 | b5926f2168127f24275f3a730ff1c04bf592817a260c7ae9e5f2702af82f339d |
| SHA512 | 101de7d4ad3f1dbe4f90802d59961d279919a8d08be0e734620bc4b55fd04d37ff4a817e81a8878f9c4378917099f63a215ce1cf3863a2942dbe0e2392396dab |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f4115bd6ca9d61858714641f87c9830a |
| SHA1 | af8de3a485e3dbfb93400ad64012d89ceea8e7ac |
| SHA256 | 8775610138ce2ed2c5ac70a1acfe79c4eecb193c52716df0efaf5e1ed5daf2be |
| SHA512 | 36da42dfe3b7b82fd0ab749661eee39e4422d908e7f592328609ce2569e0ded2be75e6ad80a8e870178a3e1c3e42aed4bbb6fb654befa18284223a6106769d44 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0ec305337cece6180a3be6397eb7424c |
| SHA1 | 9d2212f0b453a61faddbb1371833bc4da2e3e19e |
| SHA256 | d6986f0537be0bcc2d4342d372e9adf8e44bb9a96701c7133e380e3edeeb1fb3 |
| SHA512 | 90766ef44238363948776b62836a0bb2f8f735f2bbe9a9b01edcdb2a04a8911042d509de64835de8c676b70c95f40a2bf80843b7709581043ad7f2c1ce069aae |