Malware Analysis Report

2024-09-11 08:29

Sample ID 240622-bval8a1bjh
Target 76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe
SHA256 76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187
Tags
neconyd trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187

Threat Level: Known bad

The file 76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan upx

Neconyd

Neconyd family

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 01:27

Signatures

Neconyd family

neconyd

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 01:27

Reported

2024-06-22 01:30

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 73.91.225.64.in-addr.arpa udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
US 8.8.8.8:53 229.198.34.52.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 78.239.69.13.in-addr.arpa udp

Files

memory/960-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a5dd43764ad353142c2f2c0494a2bff4
SHA1 eb51684bc7f09e6487144283f76e2bd681983a5a
SHA256 1fb35b9a815b7951d8603302cd63fcb5b862f7d1f248b3b120ce6734225ce5bf
SHA512 dcf8c5f3500fb68d3609d9c7ff7739095932a36ca256a390d5ad62cac8e32ea3f01817d253f24f2b2aaae00389da389a325cf97991abce5b91cbd061813a2eb7

memory/216-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/960-5-0x0000000000400000-0x000000000042D000-memory.dmp

memory/216-8-0x0000000000400000-0x000000000042D000-memory.dmp

memory/216-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/216-14-0x0000000000400000-0x000000000042D000-memory.dmp

memory/216-15-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5 c8c1799e878f34d5edc84b686e2430cc
SHA1 7fca95da67696aca4a97f290dbd3bfb7ece6bf7b
SHA256 022262e68d90d8c340fa1cabc47bf2b01a6682e168bc54d908890137cd48ab1e
SHA512 89060dc24a7338b7b5588348cc3aa6d95977c1d81bac75b74a472ba471d70e1e8e7d8c33c94dd90d3b605f0eb3df60ed5efdc4366dd21d4ff97a9ed939efbe43

memory/216-21-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2128-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2128-26-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3c9c7d55f88b0c4efb4f19816d4eab17
SHA1 a2259da2f240d6bd2133964934951598a4f10c11
SHA256 5831cfba6867711b203fd052a150a3e6cebe038b43ab00bae463750c1d70436a
SHA512 0f09ec735b3abdf0572b87cdeb578d286be8e2d41deb49b441c1c4fd705e655ef8c521eb36f338f934daed8e8818cffadaf9616ee93b6dd73f9699500cf83301

memory/2212-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2212-30-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2212-33-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 01:27

Reported

2024-06-22 01:29

Platform

win7-20231129-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1992 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2188 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2188 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1920 wrote to memory of 2184 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2184 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2184 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1920 wrote to memory of 2184 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\76527e09e91d10d2c86392e4f4792df0ead3d1fbff9aff938ef68ea5c6643187_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

memory/1992-0-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 a5dd43764ad353142c2f2c0494a2bff4
SHA1 eb51684bc7f09e6487144283f76e2bd681983a5a
SHA256 1fb35b9a815b7951d8603302cd63fcb5b862f7d1f248b3b120ce6734225ce5bf
SHA512 dcf8c5f3500fb68d3609d9c7ff7739095932a36ca256a390d5ad62cac8e32ea3f01817d253f24f2b2aaae00389da389a325cf97991abce5b91cbd061813a2eb7

memory/1992-4-0x0000000000220000-0x000000000024D000-memory.dmp

memory/1992-10-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2188-22-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5 d17006b464b057242ee5069aaebd819b
SHA1 ae2bc00f3264b1fa0c6b5e059d5b929e5b88d728
SHA256 6ee1cff0dc2e9669c08d2dcf45fe809917f222958dce11910daca9946e8e2976
SHA512 c0ab61579d31bb224d049dc40349e13875987d5ac0b9753d50514214d4bf93b0ee5a78258f753f0c0c3ceb1d0ee971ee08d7bb3d4f9751a211c685acb3508140

memory/2188-25-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/2188-32-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 539be159b383aad7e2719fdba7008c25
SHA1 676038fa82f2b9eed66c761bcaf66b900fbd7aa8
SHA256 e48de03c1a650725635273807c7a15775eba213a8347cfe124b3dd6c9f9de0b4
SHA512 172dda99b814c3431e49a2680a70e38500333704095a1f0d8311086ca9a34337f9751b0820b77a7a794f8529a7497f62762f11b0af8e769acc7a2d9d1195177d

memory/1920-43-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-45-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-47-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-50-0x0000000000400000-0x000000000042D000-memory.dmp