Analysis Overview
SHA256
2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376
Threat Level: Known bad
The file 2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-20 03:33
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 03:33
Reported
2024-06-20 03:36
Platform
win7-20240419-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2028-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 75bc9160042b511b004b490713524645 |
| SHA1 | 8e51df9ac392a0bdc3e0da4b286dee513a3c0f12 |
| SHA256 | eea64077184eb0b4f7d7662575b05ab9704345c4c9dc5b169bb95a48c210fb59 |
| SHA512 | ed698a0939966d4cf26ae7af179f136c2f4194ff014c6600b7fcd8f7d7fbb825e0c0d821c553f67170906153691a617e62ae9d1c45bfe9d8114f5048bb86624b |
memory/2212-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2028-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2212-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2212-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2212-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2212-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 90ae1b1e7590405224cc1640c799bc87 |
| SHA1 | c8bb9e82f64386ee2e4f00f3faa8ee282b38d1d5 |
| SHA256 | 107d0d8556039b13e3b56d0e3a2c8dc27e1259a0c027ca9ca3b464cf365fe0be |
| SHA512 | c5b6b2ce8021ef9396a4d6d488cf055bc6ce4b2d732506d246b3696afe959d43953cbbd0471a361ba35ac3af6f5e2a06ad18b62800e63cb10a5b7454f21f6501 |
memory/2212-27-0x0000000000300000-0x000000000032D000-memory.dmp
memory/2212-33-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2212-31-0x0000000000300000-0x000000000032D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 25741f649b20028d843f68bceaec9ec0 |
| SHA1 | f3f4402b414dbafaf54379a5ee91267d0e9e7b07 |
| SHA256 | e053d7d04507090e84b97938ebc2c39f8c06997d4363582024383e6e0bf3a162 |
| SHA512 | b34eb2816da928e7048e7896779e98f3e88964f5b7bc868fb608ccc8a8cf5b45e675eb0fef5809d82ef0a51fb306f80a93c0a2492a3b99f169b668fb1fac224b |
memory/2164-44-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1700-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1700-48-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1700-51-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 03:33
Reported
2024-06-20 03:36
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f06a70d3a7e5e3e402af794bf2503b6ee8b265df20425e3271852ecb76e5376_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/2240-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 75bc9160042b511b004b490713524645 |
| SHA1 | 8e51df9ac392a0bdc3e0da4b286dee513a3c0f12 |
| SHA256 | eea64077184eb0b4f7d7662575b05ab9704345c4c9dc5b169bb95a48c210fb59 |
| SHA512 | ed698a0939966d4cf26ae7af179f136c2f4194ff014c6600b7fcd8f7d7fbb825e0c0d821c553f67170906153691a617e62ae9d1c45bfe9d8114f5048bb86624b |
memory/2240-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2368-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2368-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2368-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2368-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2368-13-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 1178b654d237ef47b6c6861f5dd4f01a |
| SHA1 | 51b3bee03f16c3cd655229f8b4f013da0aca1cbf |
| SHA256 | f8c4823150b2c4fd455b446fc3058689911c7be3f95c4ae45fb552ca8474ebe4 |
| SHA512 | e52c1965861d4d2e91524503ed10193b1ac4260620af032da9d52ea56429c065552a534aa33bb3a349518e3cbf56e1e336e4dcf77b71d4557aafa31ff39d4210 |
memory/2368-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2672-20-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d0c310926bf9ff9062ee307a369b9fdb |
| SHA1 | 7b7c3a20b7ceab1de8c550184b49de0cf153f0e6 |
| SHA256 | 5f08457269ab0c541e799f4fb55c755b02271fab7281a3adae08b4c10d361bdb |
| SHA512 | 7d5ad0755b059b097cd1db52d169270ec631cb138ccdbf851312127a27fb08bd2f4eb058ec37af64793af60541ebb5f3a2da9efa013895faad2d27d5b9d9d258 |
memory/2672-25-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5076-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5076-28-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5076-30-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5076-32-0x0000000000400000-0x000000000042D000-memory.dmp
memory/5076-34-0x0000000000400000-0x000000000042D000-memory.dmp