Analysis Overview

score

10^/10

SHA256

3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e

Threat Level: Known bad

The file 3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 04:57

Signatures

Neconyd family

neconyd

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 04:57

Reported

2024-06-21 05:00

Platform

win7-20240419-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3024 wrote to memory of 3064	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 3064	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 3064	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3024 wrote to memory of 3064	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3064 wrote to memory of 288	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3064 wrote to memory of 288	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3064 wrote to memory of 288	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3064 wrote to memory of 288	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 288 wrote to memory of 1804	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 288 wrote to memory of 1804	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 288 wrote to memory of 1804	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 288 wrote to memory of 1804	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/3024-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	ef9a09776315c7a5b1eefdc69f51d39e
SHA1	162578d8dd1c38a42bc41124873c4358a70047a2
SHA256	e3870a605f4f393d0fba006d080c562474b5dc625374d81f6b3e1ca924440a3f
SHA512	264e3a524bf764c1157aae9d9bd224dd469a5971f8926744da7e57ce82fcd50144c08815e4a78e9fa9af0b5c7196fdc8e586b8db4dccd2b8a14afd535f5b2623

memory/3064-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3024-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	3f831cc885732a2da910418f23e065e3
SHA1	a66300257f1a6061afb4b2b1a4d829d1d1610303
SHA256	2f5acb6648a4a12e62411ba6ad441691046d83f1d198ea8ecd8a65db7ec5c598
SHA512	bbceeedb0e3e234f8e464e3f51dabf7cd940db04b6c586bd500132a2afd1cc00157e0a802354942b90ab91ab242aaca24110afd6fadfb8d2b2ee3849b29083a9

memory/3064-25-0x0000000000290000-0x00000000002BD000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	febd5d5799341d9e4956e8d71cb77674
SHA1	2520c761dbf5b54284d27635f9a3b0fb4c1aa8e3
SHA256	63320d1371424e639c5959b89c27a8c03f17bd62dbc3d4f6419eb0120fb3a627
SHA512	c56328745785aa354bd88d25172d41b1f1a5d3fee1f45b83dc8bd6dc6cc8c113bf8d4dcc837dfe5b2bcab0a4a5c85cebfa384fb15be8bf1b61dcb5f7b9da0fd4

memory/288-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/288-34-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3064-32-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1804-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1804-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1804-51-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 04:57

Reported

2024-06-21 05:00

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1080 wrote to memory of 640	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1080 wrote to memory of 640	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1080 wrote to memory of 640	N/A	C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 640 wrote to memory of 2420	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 640 wrote to memory of 2420	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 640 wrote to memory of 2420	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2420 wrote to memory of 1080	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2420 wrote to memory of 1080	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2420 wrote to memory of 1080	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	232.168.11.51.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	22.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	107.12.20.2.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	10.27.171.150.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53		udp

Files

memory/1080-0-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1080-6-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	ef9a09776315c7a5b1eefdc69f51d39e
SHA1	162578d8dd1c38a42bc41124873c4358a70047a2
SHA256	e3870a605f4f393d0fba006d080c562474b5dc625374d81f6b3e1ca924440a3f
SHA512	264e3a524bf764c1157aae9d9bd224dd469a5971f8926744da7e57ce82fcd50144c08815e4a78e9fa9af0b5c7196fdc8e586b8db4dccd2b8a14afd535f5b2623

memory/640-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/640-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/640-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/640-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/640-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	310a1d74cef7dd5d50ae301c7351c246
SHA1	a8a80239cf7ec0f1cfcafa07853938a55d94107f
SHA256	8882d28769db2275a6d47252bd37ca2d024a2f090025f30e0b5aa9184cbee5a1
SHA512	96d76e154b0060e51e296aad1ec7729ad3afc793836cbeff2f9940eaddc979eb087f59ff97d581da6e959baa0e69790b987a796d319bf653ed2b4dfe6462bf51

memory/640-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2420-22-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	502a68b5a6ed95480da38f2ffeda8203
SHA1	ab920dd38e718e0cbd3e5e2e41c955aad3c20f28
SHA256	d8eb945ea9781489b0fa42f3800e4e99285c133de85e45b1d0830eb6bdb92090
SHA512	ba96045a15b3e41b500d702f7a81c81994b1e8d81a1d55436d92070e161a74ca36435ddfdafbac0823e9f3f6d202c2df6b7c31fad0208cea567520e8a1553f06

memory/2420-27-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1080-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1080-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1080-33-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240621-flks2sydmg
Target	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e_NeikiAnalytics.exe
SHA256	3fa1481374fc22fb1a2d3e9fedb6d3c38788a8660abab0e8febfa7fb6f78a82e
Tags	neconyd trojan upx

Malware Analysis Report

2024-09-11 08:29

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files