Analysis Overview
SHA256
3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e
Threat Level: Known bad
The file 3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 04:46
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 04:46
Reported
2024-06-21 04:49
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
139s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/1200-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1200-4-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c93022fe5d684b1906971da077f25c52 |
| SHA1 | 0394cafcd4e88700294fef430de5b50a2fa8e893 |
| SHA256 | a172bd2386f966626df6a16a60b6948dc2a8c2985b18474d53a309915d5a1088 |
| SHA512 | 6d96b712dd0d23412ca28399ae6ad83dd1299d440c4430330a79e93c7eaf79f87f45af6c19bce38dca5b88433772590938e189795e115020dbf85a1be9c55ca1 |
memory/4600-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4600-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f7d4c46f3d442b4a6116d212319b7a3a |
| SHA1 | 287c9b64b011c3c2b355173ac90f637406cdddd2 |
| SHA256 | 037657b93711e19d7e048f4a4dd61c885c010bf0a0d12783494227490ac5421a |
| SHA512 | a528041bb77a500108e748aec7e4aa6c4e51c7008c0a01484c3e629a8644c6be24162e8b6622758bd2a921ea73ec5a44899bb8d4a39edbe518bebde535edac16 |
memory/4600-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3108-14-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 53e354fab091daf95f568d50512fc7ba |
| SHA1 | f570e48d0c4306a0bce2ffad7bf5d0738d0955aa |
| SHA256 | 9dceca8008e7195f75c42c634497aad9643f7923037942275b00ac90dc5148d2 |
| SHA512 | 1452983537cd029c9d864fe2a19165e68213994bc28fb0bc9e873aca0e1bd642445dbad4c6eefde1cda31285617f0f49e8e6dc7ce6932b3b71c985ede768ac7f |
memory/3932-18-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3932-19-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 04:46
Reported
2024-06-21 04:49
Platform
win7-20240221-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ecdad85d0a304a0bca9a0c2b9c23b03bd5c57453192dfb0fcc4453e2433163e_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2820-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c93022fe5d684b1906971da077f25c52 |
| SHA1 | 0394cafcd4e88700294fef430de5b50a2fa8e893 |
| SHA256 | a172bd2386f966626df6a16a60b6948dc2a8c2985b18474d53a309915d5a1088 |
| SHA512 | 6d96b712dd0d23412ca28399ae6ad83dd1299d440c4430330a79e93c7eaf79f87f45af6c19bce38dca5b88433772590938e189795e115020dbf85a1be9c55ca1 |
memory/2104-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2820-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2104-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 316dc1dc960a505a7c1ebaf70fd812da |
| SHA1 | ee8dfa1bb11afe9e95722d325e80ff43b9bd7480 |
| SHA256 | 80a4da49d31368a6b0d63a8ab9bccfc9eb7c3a85b78e05ab6cba013d5a9a03e0 |
| SHA512 | 35453b2e6e99b64fa8d17640e4a372ab573d9ab22f64de97fb3a96295ae597c9edb3a78251e65149043ec9d1a48786ec12f07306146df7dc96748a163ec4d20b |
memory/2104-17-0x0000000000790000-0x00000000007BA000-memory.dmp
memory/2104-23-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | ce6a67cf9ac3f906adbbc5ae5b9e6ec0 |
| SHA1 | 6a23d1b9acaafa9b19bc65ebbe39a2999aa2f011 |
| SHA256 | 7cb9c840797327a8d4b619cef8f9a89ced353ea48f7fc21d9a2ac318d5187522 |
| SHA512 | f57dbf87f345d15f6f838c8c1054f2624d56721b0f2a45cced1e05a878a9567136f1c436b14b284fbe2e503b6040cc16769496fa40ce65dac1c9aada123ae18d |
memory/2788-29-0x0000000000220000-0x000000000024A000-memory.dmp
memory/1972-36-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2788-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1972-38-0x0000000000400000-0x000000000042A000-memory.dmp