Analysis Overview
SHA256
3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5
Threat Level: Known bad
The file 3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 04:51
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 04:51
Reported
2024-06-21 04:54
Platform
win7-20240419-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2364-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3decbb6825c24f43118026774963d5e8 |
| SHA1 | 7661a83b49fa8d2ff3910e3b617b6b5d6191c620 |
| SHA256 | 46808193d3962572e628f0fd6975afee52711729fe2af72cc9ccdf93aab4a959 |
| SHA512 | 9cbcca3928d590e44dab40291094078703a1031fe3f09fc8c8aa9283375f48d4a030a7808dfe966569cfda0d1e5dfdaf64e4f7c5625afbd4953289db8e3fbede |
memory/2060-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2364-9-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2060-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2060-16-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2060-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2060-22-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 896ef2e3388056c165f92a0a80ff2897 |
| SHA1 | 6b9c3494b0ce1a310290cb5c0fcf0f9879f138a0 |
| SHA256 | a2013b952dc02bff187bea7750413a6e3733e7d6c5c71d08c22ab3f0870df370 |
| SHA512 | 23f057ade78fb104333f95b691ec0ecdef4f227fc3223c0306d9dcb195cb7f11ee1967c4f392ae0b3f71453a23f72c293569e9198f74e6626619440fc025a0ed |
memory/1524-33-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2060-31-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 11702284621676bceab289fe44e6337e |
| SHA1 | 97d8a9ed543fa89d9bc9fc5c1b26055031146794 |
| SHA256 | 8d0026c3611e2f32ff86ea554933888118898d385409f2790e5bb085e97f76a4 |
| SHA512 | 50d426fe7c2dc3be0b817b72707b8c061ef71558a6d804e18a06d592cb40d803d5f41f6bcbd863ca8bd87afc8b45a66c7f78c28798bbb3bfae6d1e2d0eedb4fc |
memory/1300-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1524-43-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1300-50-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 04:51
Reported
2024-06-21 04:54
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f25bbbc04e6544f02ebb6309c3676e31b4eff50694557c0c9f2da7ff66048f5_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/2140-0-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2140-5-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3decbb6825c24f43118026774963d5e8 |
| SHA1 | 7661a83b49fa8d2ff3910e3b617b6b5d6191c620 |
| SHA256 | 46808193d3962572e628f0fd6975afee52711729fe2af72cc9ccdf93aab4a959 |
| SHA512 | 9cbcca3928d590e44dab40291094078703a1031fe3f09fc8c8aa9283375f48d4a030a7808dfe966569cfda0d1e5dfdaf64e4f7c5625afbd4953289db8e3fbede |
memory/4788-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4788-8-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4788-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4788-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4788-13-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 5bf8a21b20344ae4586408869cff238f |
| SHA1 | acde753dcdddcf7f3ffcd3faf0e0ce87a105541b |
| SHA256 | 4921eb004c5789a8f373c0b06cdb6dc27e99d9060d2f3456365f6c7d09ed24c8 |
| SHA512 | 70a1557542792033f2ed5d0470ba2a413016af7a6fd996951dd61f9ad9b23be8e0b2641fa2ab7efc5b3aef70d2f51fe37511127d539f3cd84c1026b2c3f04eb4 |
memory/4788-19-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3916-21-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 777704d5a32b01fd53fc10092c5194b6 |
| SHA1 | fc0f87180a7e8943fca19e3c96cf8d64d8885044 |
| SHA256 | 7ea39828b80e786fa92f59f5203c6a1840d8a7d40a396429fd3fffd66b3b4c15 |
| SHA512 | 9ae1d70333d787b95d4fce772a79a81a3f34b6b957837b78ca6b5de495d4d53d7b058f92fb3f7ed55a8725c2b7deb2792daa9aea246f32f0aaff434b558c34a8 |
memory/3916-24-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-26-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-28-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-30-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-32-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1904-34-0x0000000000400000-0x000000000042D000-memory.dmp