Analysis Overview
SHA256
74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67
Threat Level: Known bad
The file 74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-22 00:55
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 00:55
Reported
2024-06-22 00:57
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
memory/1640-0-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c5769621744a78a9cc118718f1776adb |
| SHA1 | 822b9c815f8a6161e86ffca4e1b98c023cd59332 |
| SHA256 | b739919a2886cb4e89e7cb109a67b7e2a56a71f70bd5e7678bbafd19a4be5b8f |
| SHA512 | 258543be6fd458e1b386d56aa2e889f958f6c24b576ebef5c3683d2d5058bb16f96f44fd0f55bbc327d689df4a1749f6f9b9ebe637cd82b5a70c77317f4f66f4 |
memory/1640-8-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2012-10-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2012-12-0x0000000000400000-0x000000000042A000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 5f3354c6d226e05a51db414987ef7b12 |
| SHA1 | 622f0fef7c3e4995e7d01e3dc939f6a9672e9cb8 |
| SHA256 | c84dd384fc687701af11f3b874d4bcd3c5f91f10c56f45faebd2f2c352c4c172 |
| SHA512 | 39d5ceff2eb42c28a8794d4b9b649db576c12119e2f84241080142156d2589ceb04cd2bbf896462bea2995ee54b31c2186f49a4a3729c277c2e56f5753a8519f |
memory/2012-15-0x00000000003A0000-0x00000000003CA000-memory.dmp
memory/2240-25-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2012-21-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1664-33-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 3f84b447c72eebee80ee09969bb920a3 |
| SHA1 | 08b19d4c2d121f0da2d560a2fff24e6ff3b3737d |
| SHA256 | c6c05d2d1d61cc86b03c693bb8f1e880bd10db0e83bee36f2a4d858910940d79 |
| SHA512 | 37405ee2c70accbf15421e02dbeae32cc622843613bedd36dd10b6d6034cadc0492158f8623cdeb37636941e5b2f3511b53923710b9d2a594507621d86d8192d |
memory/1664-35-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 00:55
Reported
2024-06-22 00:57
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
140s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\74a4d03bfd6d7d32d047d9c96d2a15b46b201a575dc1818606895ab5c96cee67_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
Files
memory/3424-0-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3424-3-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | c5769621744a78a9cc118718f1776adb |
| SHA1 | 822b9c815f8a6161e86ffca4e1b98c023cd59332 |
| SHA256 | b739919a2886cb4e89e7cb109a67b7e2a56a71f70bd5e7678bbafd19a4be5b8f |
| SHA512 | 258543be6fd458e1b386d56aa2e889f958f6c24b576ebef5c3683d2d5058bb16f96f44fd0f55bbc327d689df4a1749f6f9b9ebe637cd82b5a70c77317f4f66f4 |
memory/1536-5-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1536-7-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 8db304185a973f1e22b5293245948700 |
| SHA1 | 417117b65bef32ffb3338cb6b48a346fb51d5da9 |
| SHA256 | 1e2045d5f06503e295a04129db31ea5ef3210f2fbc079b07ed9d408038591f29 |
| SHA512 | 1edb8c61aa718ea7eef5cb60979a2efc5f44bce58081b4c7e77df83bc130c97d920c50fec4e2f53b16bf56606fbdcaf9730125a795dc5e020d95444b603a4558 |
memory/1536-11-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3656-12-0x0000000000400000-0x000000000042A000-memory.dmp
memory/3656-17-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | fb4be026e8c5bbddd0b6a21f38ecc790 |
| SHA1 | 9564d45e1a7ee9a5492785d70ef944e9155c58fc |
| SHA256 | 105d9df05dd5609b9afdc9b9790b89c0447db54792d28d9042530f3fbf81f22a |
| SHA512 | b1a8aba5790a97e55d7a49a7dd2a21440b26d3710c6207fcd77cb9e415417b49fcfc2d3a25824d41af45a941466aa0875af4af1d99fe24bdeb5d083361e4d321 |
memory/1992-19-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1992-20-0x0000000000400000-0x000000000042A000-memory.dmp