Analysis Overview
SHA256
51e50920232529d1fc9d56ea6c7443389ca8e212113a8177a70d29aa5dcc4c7e
Threat Level: Known bad
The file 51e50920232529d1fc9d56ea6c7443389ca8e212113a8177a70d29aa5dcc4c7e_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-20 09:46
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 09:46
Reported
2024-06-20 09:49
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51e50920232529d1fc9d56ea6c7443389ca8e212113a8177a70d29aa5dcc4c7e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51e50920232529d1fc9d56ea6c7443389ca8e212113a8177a70d29aa5dcc4c7e_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7bd5b756d54c7f5372265b25c7ae96e4 |
| SHA1 | 4da778c621019d3ea47e32cacdd8c66c549780cc |
| SHA256 | 8904457a7b6540bc5a175be17ea503a25aafe7054da8b87b38ce5acbd029dc9d |
| SHA512 | 7c2ca7b203765bf14166f8cebf43dace2b7c28eae4ad76a31e5f05fd2007f4535603d6c473e986efb03d7972f185ddbd933a6bca6f40d40761662ad68340e6f0 |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 0e2ae812fa3021e3926f55e18de31a5c |
| SHA1 | 26fd7d8bd3e25bfcec8448ca68d1caf3c0d8e7ae |
| SHA256 | 413cd92d5862dbee3e1b2d1324e9ce41ab841833864d029bcb20580b67d16900 |
| SHA512 | 5f13baa934f4c37d88f310f168e130c4f9ea6fdaaf7200a7c10e0b8b3c9e8458406df65737251462c3bb08b337adb6374669e87fc5ba9e26b3d7298d5535706c |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 388a514f4e19b2e1b8036ee11265eb31 |
| SHA1 | 1dc4c50af154296e79f17aa7b3d74233ae7d7ed6 |
| SHA256 | 6e53b420ed0a00b4ab85c3b6ab1ec7b19cf123acd75afc71c2b8f7d1687079fe |
| SHA512 | aa599a78ef2c0028f502ea41bd7e9b741421bb4d5d0ccd74446cba3aaa6207f626b9100c83364529778aaaa1dfc6ae64839620d5ed819d1444d3185c98a64ee6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 09:46
Reported
2024-06-20 09:49
Platform
win7-20240611-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51e50920232529d1fc9d56ea6c7443389ca8e212113a8177a70d29aa5dcc4c7e_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51e50920232529d1fc9d56ea6c7443389ca8e212113a8177a70d29aa5dcc4c7e_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51e50920232529d1fc9d56ea6c7443389ca8e212113a8177a70d29aa5dcc4c7e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51e50920232529d1fc9d56ea6c7443389ca8e212113a8177a70d29aa5dcc4c7e_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 7bd5b756d54c7f5372265b25c7ae96e4 |
| SHA1 | 4da778c621019d3ea47e32cacdd8c66c549780cc |
| SHA256 | 8904457a7b6540bc5a175be17ea503a25aafe7054da8b87b38ce5acbd029dc9d |
| SHA512 | 7c2ca7b203765bf14166f8cebf43dace2b7c28eae4ad76a31e5f05fd2007f4535603d6c473e986efb03d7972f185ddbd933a6bca6f40d40761662ad68340e6f0 |
\Windows\SysWOW64\omsecor.exe
| MD5 | e113dce288be998bb873bc32d42c68a0 |
| SHA1 | e30978c022fc11b20c3f1833f035747dac1fce3e |
| SHA256 | 3090b46b8dad183d6b2da72fcf505529c14b110ac09542e27b86ac8319bdc4e7 |
| SHA512 | fdde6c9e31a1cc59385860e008c6a120fd90690d00b74a72716fa95ed9238f9d9e4a84655aa4da4f7178c7a315f1c8ac28cda4f2e514dfc6e20affecc2936677 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 1e9f84c649efb109977ecae9dfb19a78 |
| SHA1 | a5ca5a49798fd881fc4cf9e49a4d59b47ed87727 |
| SHA256 | 857b270a880d529eed40852942fd638cc58f55310b1f38a46b2336f473edddde |
| SHA512 | 3f7a03cfbf8adc8e2c30fd1b868e4f6f58de5e6fb933594db17037f6920973696e8663de7a008134c84bf49571edb1211fcef4731eeb8210705bf43358ca3bb1 |