Analysis Overview

score

10^/10

SHA256

225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166

Threat Level: Known bad

The file 225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 00:15

Signatures

Neconyd family

neconyd

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 00:15

Reported

2024-06-21 00:18

Platform

win7-20240611-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	C:\Windows\SysWOW64\omsecor.exe	N/A
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2176 wrote to memory of 2212	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2176 wrote to memory of 2212	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2176 wrote to memory of 2212	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2176 wrote to memory of 2212	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2212 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2212 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2212 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2212 wrote to memory of 2680	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	aae4bf58a341d254c8636c5e65555e88
SHA1	06f420d5b29543299cba9f88ab337cefa3528489
SHA256	d20cd6c5e20036357b511160740cb3de352b32e0f81a9e4c651da12f86fa490f
SHA512	4e362f96017c2e0a4d2495ed5a4c69bf25851e5cd7bb0584e6d43962fda16a00458317845287e04f835aa17ccb554fae93b76a1c33ac6a5d77ae864246243ec7

\Windows\SysWOW64\omsecor.exe

MD5	e292a3dada216f21df998317b9d852b7
SHA1	69695dd676c57ffe985bc94dbd6e95696a96b069
SHA256	f85d6b792d4246a24df9f10a174c3b665a26606bd899ef7f9b81cb2db92c92ae
SHA512	cdf50a01e86d526ed7e93c0386cc4e82ea0e2e045301ba8754b1d5a11a066635522e5052511513c522a5c8b839c83bc793f2955f64627b2ed13ebc7f57db0da3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 00:15

Reported

2024-06-21 00:18

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1000 wrote to memory of 1248	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 1248	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1000 wrote to memory of 1248	N/A	C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1248 wrote to memory of 4768	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1248 wrote to memory of 4768	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1248 wrote to memory of 4768	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4768 wrote to memory of 2616	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4768 wrote to memory of 2616	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4768 wrote to memory of 2616	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	196.249.167.52.in-addr.arpa	udp
US	8.8.8.8:53	97.90.14.23.in-addr.arpa	udp
US	8.8.8.8:53	76.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	58.55.71.13.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	92.12.20.2.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	29.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	10.27.171.150.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	aae4bf58a341d254c8636c5e65555e88
SHA1	06f420d5b29543299cba9f88ab337cefa3528489
SHA256	d20cd6c5e20036357b511160740cb3de352b32e0f81a9e4c651da12f86fa490f
SHA512	4e362f96017c2e0a4d2495ed5a4c69bf25851e5cd7bb0584e6d43962fda16a00458317845287e04f835aa17ccb554fae93b76a1c33ac6a5d77ae864246243ec7

C:\Windows\SysWOW64\omsecor.exe

MD5	4e27cb0fda8b93dee7a1e4393817367a
SHA1	7d6ff00625c90736f2f7dff738155044c01c3d8c
SHA256	841dee9925897cfdae66904ada53c83e95e37d137a776f864b0a211da083783f
SHA512	b7bab6003192afaff29e612acf6dea36c60891834510c93403688fdd6c6a84bcef6b335a04b1f34789841dd00b0cf10c336458b13ea252a839a990983b261a59

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	e3ec2b661cf8c831e47f8509a729914b
SHA1	cb7b7517272857393c2cd3775bb7a93b316ecdbc
SHA256	d8c65828ff53782b7a8b5ef741c8f0be345576065d28b6ea78705019511da063
SHA512	3e8be4a143e97fed220dc9f1507f9a33be18c67a7223508e7bf9eae1db4493ba47feb89590f2d743ee7c25bdf615d8236dec3f2a7c9ab4725ae536603613927b

Sample ID	240621-akc4xstbjd
Target	225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166_NeikiAnalytics.exe
SHA256	225bafd029a722cce6c1b6e0f33897b92b74469123bddec3b33b0d92c66e4166
Tags	neconyd trojan

Malware Analysis Report

2024-09-11 08:29

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files