Analysis Overview

score

10^/10

SHA256

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187

Threat Level: Known bad

The file 76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd

Neconyd family

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 01:27

Signatures

Neconyd family

neconyd

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 01:27

Reported

2024-06-22 01:30

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 960 wrote to memory of 216	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 960 wrote to memory of 216	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 960 wrote to memory of 216	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 216 wrote to memory of 2128	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 216 wrote to memory of 2128	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 216 wrote to memory of 2128	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2128 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2128 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2128 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
BE	88.221.83.187:443	www.bing.com	tcp
US	8.8.8.8:53	209.205.72.20.in-addr.arpa	udp
US	8.8.8.8:53	144.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	71.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	187.83.221.88.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	13.86.106.20.in-addr.arpa	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	30.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	10.27.171.150.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	78.239.69.13.in-addr.arpa	udp

Files

memory/960-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a5dd43764ad353142c2f2c0494a2bff4
SHA1	eb51684bc7f09e6487144283f76e2bd681983a5a
SHA256	1fb35b9a815b7951d8603302cd63fcb5b862f7d1f248b3b120ce6734225ce5bf
SHA512	dcf8c5f3500fb68d3609d9c7ff7739095932a36ca256a390d5ad62cac8e32ea3f01817d253f24f2b2aaae00389da389a325cf97991abce5b91cbd061813a2eb7

memory/216-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/960-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/216-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/216-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/216-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/216-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	c8c1799e878f34d5edc84b686e2430cc
SHA1	7fca95da67696aca4a97f290dbd3bfb7ece6bf7b
SHA256	022262e68d90d8c340fa1cabc47bf2b01a6682e168bc54d908890137cd48ab1e
SHA512	89060dc24a7338b7b5588348cc3aa6d95977c1d81bac75b74a472ba471d70e1e8e7d8c33c94dd90d3b605f0eb3df60ed5efdc4366dd21d4ff97a9ed939efbe43

memory/216-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2128-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2128-26-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	3c9c7d55f88b0c4efb4f19816d4eab17
SHA1	a2259da2f240d6bd2133964934951598a4f10c11
SHA256	5831cfba6867711b203fd052a150a3e6cebe038b43ab00bae463750c1d70436a
SHA512	0f09ec735b3abdf0572b87cdeb578d286be8e2d41deb49b441c1c4fd705e655ef8c521eb36f338f934daed8e8818cffadaf9616ee93b6dd73f9699500cf83301

memory/2212-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2212-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2212-33-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 01:27

Reported

2024-06-22 01:29

Platform

win7-20231129-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1992 wrote to memory of 2188	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 2188	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 2188	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 2188	N/A	C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1920	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 1920	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 1920	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 1920	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1920 wrote to memory of 2184	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2184	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2184	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2184	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
FI	193.166.255.171:80	lousta.net	tcp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp

Files

memory/1992-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	a5dd43764ad353142c2f2c0494a2bff4
SHA1	eb51684bc7f09e6487144283f76e2bd681983a5a
SHA256	1fb35b9a815b7951d8603302cd63fcb5b862f7d1f248b3b120ce6734225ce5bf
SHA512	dcf8c5f3500fb68d3609d9c7ff7739095932a36ca256a390d5ad62cac8e32ea3f01817d253f24f2b2aaae00389da389a325cf97991abce5b91cbd061813a2eb7

memory/1992-4-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1992-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	d17006b464b057242ee5069aaebd819b
SHA1	ae2bc00f3264b1fa0c6b5e059d5b929e5b88d728
SHA256	6ee1cff0dc2e9669c08d2dcf45fe809917f222958dce11910daca9946e8e2976
SHA512	c0ab61579d31bb224d049dc40349e13875987d5ac0b9753d50514214d4bf93b0ee5a78258f753f0c0c3ceb1d0ee971ee08d7bb3d4f9751a211c685acb3508140

memory/2188-25-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/2188-32-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	539be159b383aad7e2719fdba7008c25
SHA1	676038fa82f2b9eed66c761bcaf66b900fbd7aa8
SHA256	e48de03c1a650725635273807c7a15775eba213a8347cfe124b3dd6c9f9de0b4
SHA512	172dda99b814c3431e49a2680a70e38500333704095a1f0d8311086ca9a34337f9751b0820b77a7a794f8529a7497f62762f11b0af8e769acc7a2d9d1195177d

memory/1920-43-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-50-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240622-bval8a1bjh
Target	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe
SHA256	76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187
Tags	neconyd trojan upx

Malware Analysis Report

2024-09-11 08:29

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files