Analysis Overview
SHA256
5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707
Threat Level: Known bad
The file 5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-20 11:55
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 11:55
Reported
2024-06-20 11:57
Platform
win7-20240221-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 58ae46295b96b370448d71d2407ff489 |
| SHA1 | 9fa562dfe6039253de5ee24d35bff02987999486 |
| SHA256 | 9c3c314ec50afa8bc7eb234ef024ea2a2fb6b859296584dc46fd2de4257643af |
| SHA512 | d6c2018b7f20414dbc3e6fa813acc509f6138dc86743d21988ce0a8a84d1a412365d95860fea2ad7ec0aaaebb8113beae189a5f77d76d0c27f6644e5bba9d9a0 |
memory/1040-4-0x00000000002B0000-0x00000000002DD000-memory.dmp
memory/1040-3-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1856-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1856-15-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1856-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1856-21-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 2009d15c4191802eb997e11115dbbf2f |
| SHA1 | 939ab819284b7a07a8c77e1bf4fa2c9160f5cc43 |
| SHA256 | 1cb467329a58454f27cbcbd7f1f71e793b7339f26e973ef2e89db9f828fd2482 |
| SHA512 | 25422f975d2fc2e1b0a21f6351089cb724880d7a1fda874c01978988e9f4d7357350fb2e528308f3af99f7c711e3530e03efe5425c9623ef8ffa9cdd5b399bf4 |
memory/1856-24-0x0000000000390000-0x00000000003BD000-memory.dmp
memory/1856-32-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | bfac6f122ca83c690082b8bd34c61a02 |
| SHA1 | a298447ec9e048b9991b7ba814ae9198d35ba44f |
| SHA256 | b100894275869de46287565eb0105bce6f1ef67a9e9fa5d17cc2ecebd9df89a0 |
| SHA512 | 1a496ca640f2274f860029b2934239d36fdb81ee55630551e5c67fbc3e63674450fbbd319b4c236db5ae635b50040c0aa9269fa57423d1eba1334e1e9e068edf |
memory/2144-37-0x0000000000220000-0x000000000024D000-memory.dmp
memory/2144-43-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1792-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1792-47-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1792-50-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 11:55
Reported
2024-06-20 11:57
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f2ebdf032b724df743389eb7b451e85da798b819bc08ba5a10b729231136707_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/3788-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 58ae46295b96b370448d71d2407ff489 |
| SHA1 | 9fa562dfe6039253de5ee24d35bff02987999486 |
| SHA256 | 9c3c314ec50afa8bc7eb234ef024ea2a2fb6b859296584dc46fd2de4257643af |
| SHA512 | d6c2018b7f20414dbc3e6fa813acc509f6138dc86743d21988ce0a8a84d1a412365d95860fea2ad7ec0aaaebb8113beae189a5f77d76d0c27f6644e5bba9d9a0 |
memory/3788-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1224-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1224-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1224-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1224-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1224-13-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 086da5d34fb9fdb94ae1f9444bcff894 |
| SHA1 | c0dce96e9add0379049b53e43bd4e4ba7cd5ff6f |
| SHA256 | 3c3744c9fa4b78db4d1c0c003ee737e2d40c3bf56a462e2f691a60361b98cde4 |
| SHA512 | 2ca2d837517a183626f446c91307e07cee560aba8d7e40a0cc2a871a8d0c9370790da59aa9cd354a5d61c3419cf25bf6462e353393ef38d986c81fee7cf26fad |
memory/1224-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2804-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2804-25-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fbc1c9ad174bee68507ed189932275c6 |
| SHA1 | 948dc1618f545d12a2a87d0b530b57e8588e2e95 |
| SHA256 | 7f9f5cbbdd9e4a3034ed4b9e8364a31ae73ee61ce9ec01a9e325f19f7d8bb314 |
| SHA512 | beaa88b13baff9fdfba36ea87d3c1f684989caf66c091299df0f98321ac7f642cb7f31ac542f28a9b0e726a6c97c80302f777f8609142f6b8e5d824c0ededb59 |
memory/4976-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4976-28-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4976-30-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4976-32-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4976-34-0x0000000000400000-0x000000000042D000-memory.dmp