Analysis Overview
SHA256
45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96
Threat Level: Known bad
The file 45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 06:00
Signatures
Neconyd family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 06:00
Reported
2024-06-21 06:03
Platform
win7-20240611-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/860-1-0x0000000000400000-0x000000000042D000-memory.dmp
memory/860-4-0x0000000000220000-0x000000000024D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e48a8a045991fe9fa98dc91c014042d7 |
| SHA1 | 50f31e988c590a62dc64e246dff0199958445a66 |
| SHA256 | 3299caa7f355dd474bede0d5af400365a3eecbff3db2d3eaf49c8db1ed70181a |
| SHA512 | dd0cbcd8c7b90180cb79f7ed7ccefdfbb57c55e3ba08dd3789e6b547ca458ed2343f9cd6ad654b57b10b04457a60000a7e5ee514a84f186226c29585af394b61 |
memory/860-9-0x0000000000220000-0x000000000024D000-memory.dmp
memory/860-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2600-14-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2600-17-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2600-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2600-23-0x0000000000400000-0x000000000042D000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | e7bcf5cf6b9c7c186637cb14771b2023 |
| SHA1 | 810c9e196c40c1581418f5fe89e9824d1b9b1042 |
| SHA256 | 0a317b7c3eabc670bdbe45346e3bd37c926e1fd8a3cc376c3769fd2d74ab66bf |
| SHA512 | dc47fb58c6f513590ba6113aa92daacbaa3a626fb30ff7e26467554361ba9c3bcbd78a9f5aa70f0526afb3a872d314a1fb82e81ae78d388eb9f08b87ee9f3f06 |
memory/2600-26-0x0000000000350000-0x000000000037D000-memory.dmp
memory/2600-33-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2836-35-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6b929af8674c414152c74a4323f264ed |
| SHA1 | fcb47e85bd370e99aca32a02ab54988b2cace656 |
| SHA256 | e8f6840104afe62f741d7a9bc9a25f672d9bb69c9bb318fb5bdc21fd95d09265 |
| SHA512 | 6df79107a9a88154626614cbc504ac1280618a999bc71c3b0748d38dea20289c9a61cf8165c283412b0691ca2c1f78fef5ec9f3e3986ea4d22dd4b20711501ec |
memory/2836-40-0x0000000000220000-0x000000000024D000-memory.dmp
memory/2836-46-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1800-49-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1800-52-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 06:00
Reported
2024-06-21 06:03
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3184 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3184 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 3184 wrote to memory of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 1284 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1284 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 1284 wrote to memory of 4600 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\45c5b51df1901df83f6c1947331b5fbb13e27d13c5ea0b9c2b6ff9e5bedc5a96_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/3184-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e48a8a045991fe9fa98dc91c014042d7 |
| SHA1 | 50f31e988c590a62dc64e246dff0199958445a66 |
| SHA256 | 3299caa7f355dd474bede0d5af400365a3eecbff3db2d3eaf49c8db1ed70181a |
| SHA512 | dd0cbcd8c7b90180cb79f7ed7ccefdfbb57c55e3ba08dd3789e6b547ca458ed2343f9cd6ad654b57b10b04457a60000a7e5ee514a84f186226c29585af394b61 |
memory/1284-5-0x0000000000400000-0x000000000042D000-memory.dmp
memory/3184-6-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1284-7-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1284-10-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1284-13-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1284-14-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | bb7892f877bac00db3e9b102506da1ca |
| SHA1 | f8f6183c6b42dd8da5bc07975af79e6f3563da38 |
| SHA256 | 4afb1ef9d63712d1bc21ea2932db27dea84e238e268687882602c21aac046087 |
| SHA512 | 798e53bf56b5d1788bcde4d1aecbbd03079409f3708db7d1375c19d0dda85a08597c662741a54c9b979869f91b51cbda1d7538b7de15190f42d591b541e55e39 |
memory/4600-18-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1284-20-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4600-21-0x0000000000400000-0x000000000042D000-memory.dmp
memory/4600-24-0x0000000000400000-0x000000000042D000-memory.dmp