Analysis Overview
SHA256
68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2
Threat Level: Known bad
The file 68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 11:29
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 11:29
Reported
2024-06-21 11:32
Platform
win10v2004-20240611-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\merocz.xc6 | C:\Windows\SysWOW64\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4692 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4692 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4692 wrote to memory of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe |
| PID 4884 wrote to memory of 3152 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4884 wrote to memory of 3152 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
| PID 4884 wrote to memory of 3152 | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | C:\Windows\SysWOW64\omsecor.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/4692-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5ed2b3da5601676f7dcab676d04c19d7 |
| SHA1 | 44ced867ecd6435f0283c46544bf6c574d09ddb8 |
| SHA256 | 3261f5a6b0bea00bfbc1a1a53a7489fe4b56f3402525845ccd0e38735574e4c0 |
| SHA512 | 76c5e8dccd146799d45ad554ede8e231551188e1a997bbf8019f9144eb8c9e011a471fae18ecfc7ebcdcfbbbef05e5c66b53d4d590e17348cb0eae99f49d0197 |
memory/4692-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4884-6-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4884-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 144ea80d6170bfcc140ee2b8bdf8e206 |
| SHA1 | d0bd692c15fca14241d3785e154245f97928587b |
| SHA256 | 68cca0011c6e7cb555a24ab70494a2bc1b2da5dd2842fdefd327f538b936ffc1 |
| SHA512 | aae0bf998d2df0d24a03756aca39e77377f9dd9f30969e3d3a6b1df3447b9af9817665d454493bd758adc4c517c432e6f08386fefcaff1fa494f4d4d2b86daf6 |
memory/4884-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3152-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3152-14-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 11:29
Reported
2024-06-21 11:32
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68b03f81eef7e2c8f39670ad8fa7c126383c502c653ded556b45d59eaee856a2_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2388-0-0x0000000000400000-0x000000000042A000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 5ed2b3da5601676f7dcab676d04c19d7 |
| SHA1 | 44ced867ecd6435f0283c46544bf6c574d09ddb8 |
| SHA256 | 3261f5a6b0bea00bfbc1a1a53a7489fe4b56f3402525845ccd0e38735574e4c0 |
| SHA512 | 76c5e8dccd146799d45ad554ede8e231551188e1a997bbf8019f9144eb8c9e011a471fae18ecfc7ebcdcfbbbef05e5c66b53d4d590e17348cb0eae99f49d0197 |
memory/2388-9-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1952-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2388-4-0x0000000000220000-0x000000000024A000-memory.dmp
memory/1952-13-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 196932566ea950b882a052d995e81357 |
| SHA1 | 6fb40d163fdc7a0cadfd5058dfab22d1eedb6377 |
| SHA256 | 9f7cc18c31bfaac5d35b5f934881f12afcf3ab1c1d25e2a8516e99f9d520835d |
| SHA512 | 16ef78d321949a9b22f3a0cbe092500e1483801ba5280e46b08243b22ce850331373b675d5070daa4b7d7b46a6be841ef6dfacaaf057a37fa1f916eb2a230005 |
memory/1952-19-0x0000000000280000-0x00000000002AA000-memory.dmp
memory/1952-24-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1028-28-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2392-36-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 0124a2e4bd1ee0be8d80e4ffefc6b657 |
| SHA1 | 369ab923c5a7b6d287de7a00c7249079e7fb57e9 |
| SHA256 | 499f65096926d950034873788910438d0b61a22be4216c15e1075ab6b17268e1 |
| SHA512 | c0c538466a6c14a767063c2385508f5e4127c6b353167046b35efbbfcb92a54d0bc83293189c1e73448a7b2cc6fe6a3f36eb42de72d55ed300cb3f404020c6f8 |
memory/2392-38-0x0000000000400000-0x000000000042A000-memory.dmp