Malware Analysis Report

2024-09-11 08:29

Sample ID 240620-g5h91axhpk
Target 3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe
SHA256 3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5

Threat Level: Known bad

The file 3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 06:23

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 06:23

Reported

2024-06-20 06:25

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3152 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3152 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4644 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4644 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4644 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4220 wrote to memory of 5020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4220 wrote to memory of 5020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4220 wrote to memory of 5020 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e52986ee168e1d7047383e93337b5c79
SHA1 c21e48fdc44c75eff8d7c8d0692a96678228892b
SHA256 1f480270ef537195ab187e18f62c00321bbf8b7abd987dab0d35d2224d2a70f1
SHA512 a338c29fb22b64029d1123e5f3f1432da31d3753a3613cb8402e9b3cd1acf3da97a4db7e6912b9e89732229d29a532685435f33c7db3fda24a60480ad9013bf0

C:\Windows\SysWOW64\omsecor.exe

MD5 79f8783fb55c38c80861da484c2becdf
SHA1 fe1f2643a6d7e3e4bcc78c2fc245ab924317c31f
SHA256 1d5e2ffcb13994dd6c541abeb747f5140121c1f4eb78d367cf97085f7bbb5ea2
SHA512 4322dcfef7daf1dea9d20d22321a7817a5512ef94ab2fa5ab0e523da0b0b697b6f3ec70589c39ed68a5527b6c9f2648fdc7f59a9fdf5466e0711f623c794f08c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 0bf6fbc6501949537b1b56b3a85671a8
SHA1 c36110ccbd508e2ab86559468127f747004b2f31
SHA256 ba12275bbc409d1a36d0abc4b1022e071da0ae33d3d442d13defaa985c0ba471
SHA512 d77ba27aabd75b6fde06ed6297f85108f7011c44422cf1ef5bb7d9e04ded15f332d480e9ba38c84f943d785f45f121a9bee7c187fd702421c568378c9b98111b

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 06:23

Reported

2024-06-20 06:25

Platform

win7-20240419-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2300 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2300 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2300 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2300 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2876 wrote to memory of 772 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 772 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 772 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2876 wrote to memory of 772 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3e9b205e59fe5b80997bd8dc9c289527a6b5ee10546eeba9935c1cd8a58a07e5_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e52986ee168e1d7047383e93337b5c79
SHA1 c21e48fdc44c75eff8d7c8d0692a96678228892b
SHA256 1f480270ef537195ab187e18f62c00321bbf8b7abd987dab0d35d2224d2a70f1
SHA512 a338c29fb22b64029d1123e5f3f1432da31d3753a3613cb8402e9b3cd1acf3da97a4db7e6912b9e89732229d29a532685435f33c7db3fda24a60480ad9013bf0

\Windows\SysWOW64\omsecor.exe

MD5 06936b6cc51cd388b449eb4e5a9fdfe9
SHA1 6a69cc2d601795c86186c4eb51c69600c63cc7ea
SHA256 4f06b787b2725ad96cbd4d800fa83b079c07340d9eb31345f36d6766311c8564
SHA512 098a780cbcf1419492ac0d8a821c287db03ef4cf2b1c7b658c48d4b72c8421deadbc09313f4f152e37846b29633a5bd556e212f806ffbf04e68de08a02ceecd1

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 b484fd7822cf6aa520061925b84a5e7f
SHA1 7c8b3673f1398185bcf7b0f67aff03b9bc094511
SHA256 7929dd345717ddfa6867d86faee0af3c94656ddbd84e402c5690d0846be47a45
SHA512 e6fcf0713861651808893a72393e77fbc2b25241eb251670568cf5cb0178de1e643011d24d09d296cb16a1e395bc45dadfecb7137a58b5286344bd48dd081e2e