Analysis Overview
SHA256
8808f6eba2eada6bc7915f98a295ae8cad1fbadfeaef7c131d75f388ddb831d1
Threat Level: Known bad
The file 8808f6eba2eada6bc7915f98a295ae8cad1fbadfeaef7c131d75f388ddb831d1_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd
Neconyd family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-22 07:24
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 07:24
Reported
2024-06-22 07:27
Platform
win7-20240508-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8808f6eba2eada6bc7915f98a295ae8cad1fbadfeaef7c131d75f388ddb831d1_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8808f6eba2eada6bc7915f98a295ae8cad1fbadfeaef7c131d75f388ddb831d1_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8808f6eba2eada6bc7915f98a295ae8cad1fbadfeaef7c131d75f388ddb831d1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8808f6eba2eada6bc7915f98a295ae8cad1fbadfeaef7c131d75f388ddb831d1_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
Files
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6d4c422b7078cafe2c9f83f6badc11d4 |
| SHA1 | 6c7560c85f5d16c98d928568f29f38eb47436707 |
| SHA256 | 85c273c024215309b11d295162cea4da47ba808be0eadecb605f5d1e50db273f |
| SHA512 | 13a5d2ede97489d3dddcb208422832db92ef0b96524db6e211f528fd3c7409deeac618a1a564a5290632e7c648209555e09dd703134cceb40282aab3010c862a |
\Windows\SysWOW64\omsecor.exe
| MD5 | 3372ba4c0cc1497b344d865a7913a170 |
| SHA1 | aef9ff2be469edea881c11a8611d9a38b9db4bdf |
| SHA256 | b32bc987183615bf82f0b2ce60a8cbac6d759a8c434fba9680d6aa2a7714d23d |
| SHA512 | bb39bee8f3a56737e5ff0a94cd3a1205cef0c2fd7be4da94650e9b87c16f660edd770fe25229edf613870ea15cd11a75e23a11f1fe18232759f57dd02218dee2 |
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6f78407a2ded5f4e04b059a1e4b6d4c1 |
| SHA1 | 6d185022d85041fb81bc47a3fba0570f1da1567f |
| SHA256 | 20174136d26c95e8cfb20f1ef2fc27d4163dc890a98273867870d72e48592d27 |
| SHA512 | 618f2fdecf477351d3c09c2c2bced3d3e0e4a9a63861640325190309810624420fd412574b99b2383395582fceb8c96ace5b9ba6c7a2799c8e78a1da58d11564 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 07:24
Reported
2024-06-22 07:27
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8808f6eba2eada6bc7915f98a295ae8cad1fbadfeaef7c131d75f388ddb831d1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8808f6eba2eada6bc7915f98a295ae8cad1fbadfeaef7c131d75f388ddb831d1_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3800,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 6d4c422b7078cafe2c9f83f6badc11d4 |
| SHA1 | 6c7560c85f5d16c98d928568f29f38eb47436707 |
| SHA256 | 85c273c024215309b11d295162cea4da47ba808be0eadecb605f5d1e50db273f |
| SHA512 | 13a5d2ede97489d3dddcb208422832db92ef0b96524db6e211f528fd3c7409deeac618a1a564a5290632e7c648209555e09dd703134cceb40282aab3010c862a |
C:\Windows\SysWOW64\omsecor.exe
| MD5 | f9a53b511b90413120f735a53f1ba814 |
| SHA1 | b6e40a46fea98889eee3318907985bfb37a0faa9 |
| SHA256 | ea67a10aa5275dcaa403518785dc1f43eb712f0b2f1c3d0c10cd480c68dd5faa |
| SHA512 | 14550e21082f59df4c38af8e299401b284f2a0dc1af37c2546749e14f43c96d44b3aad27e17802e10235d927091161072b64304c5b2beaa13fb97725175627b3 |
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | d1163bbb60cba693bfa85ef58021f415 |
| SHA1 | 3a26c8aa9f1fbb74561f0b052b34eef69019a3d2 |
| SHA256 | a890b96c547678027c7f03ff33d5d548c354f48a3a9a8a0b58c0ae429d0b16c6 |
| SHA512 | 100a2c7f6420e2b66f08ffb7361b48a04192e8819f5e6a146b41f04fa755961fd274ccd8ad05fcb3495c186b4b503c4f7d65eadbba6f2425825b51efb8998c44 |