Analysis Overview

score

10^/10

SHA256

906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d

Threat Level: Known bad

The file 906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 10:08

Signatures

Neconyd family

neconyd

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 10:08

Reported

2024-06-22 10:11

Platform

win7-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3056 wrote to memory of 2184	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2184	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2184	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3056 wrote to memory of 2184	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2184 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 2184 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 1636 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1636 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1636 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1636 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	lousta.net	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp

Files

memory/3056-0-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	053b729e78affbb4bd339dc79a4de862
SHA1	b04fc3bf6278e1c246d9eca096369d8f70d5a94b
SHA256	29f31b0d523c5160b99363ea7f812f4402ee9f92ee3bb3879dc875eb15af10b0
SHA512	f4f94e7927cd741282ce3b5b46e26f6730441f60b83d5b757e97572dc21b2ce3315ca717837dcc5fc79edc1c55b136a848de6c112e524cd94d1829bf4989494b

memory/2184-12-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3056-9-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-15-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-17-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-20-0x0000000000400000-0x000000000042D000-memory.dmp

\Windows\SysWOW64\omsecor.exe

MD5	84aeaf23c0d084873616e6946fa0c469
SHA1	e7b629d022502f8a2eaca32f03c570fc412f319e
SHA256	763ae70e2b5009bc34580f2cc36c21baa23c47ebccdcdf842f84d723bc159c6f
SHA512	e7ebb7fb6cf0ae2405d1ee7f1310fbcd755142268b6297dc6cc924b8fbcbd99c0caa3e56a86bf4c39d14fb852dad2b7590ce2c0a17e4a66471aec73b2f9e448e

memory/2184-24-0x00000000003B0000-0x00000000003DD000-memory.dmp

memory/1636-35-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2184-31-0x0000000000400000-0x000000000042D000-memory.dmp

\Users\Admin\AppData\Roaming\omsecor.exe

MD5	7745fdaf0e88f7073c52f540885ee9f1
SHA1	fe6ee5c3a9bbb17a5e8bc067fa5fafdcb73b82c7
SHA256	991ab0cc199dda19b78eba787d3dd8f9462bde9b9fa9da50d909e4c6085942d1
SHA512	5948e19e7d43d4dbcf3ada424fbfcece54982800321f3a04b1303465d43eca01c3bb06b6859fad111d2984f18d02306271784d78a133dc006e214fcf9292eff9

memory/2516-44-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2516-46-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2516-48-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2516-50-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 10:08

Reported

2024-06-22 10:11

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\omsecor.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3912 wrote to memory of 4704	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3912 wrote to memory of 4704	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3912 wrote to memory of 4704	N/A	C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4704 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4704 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 4704 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Roaming\omsecor.exe	C:\Windows\SysWOW64\omsecor.exe
PID 3156 wrote to memory of 2788	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3156 wrote to memory of 2788	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3156 wrote to memory of 2788	N/A	C:\Windows\SysWOW64\omsecor.exe	C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	lousta.net	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	149.220.183.52.in-addr.arpa	udp
US	8.8.8.8:53	171.255.166.193.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	140.32.126.40.in-addr.arpa	udp
BE	88.221.83.186:443	www.bing.com	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	186.83.221.88.in-addr.arpa	udp
US	8.8.8.8:53	80.90.14.23.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	28.118.140.52.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	mkkuei4kdsz.com	udp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
US	8.8.8.8:53	73.91.225.64.in-addr.arpa	udp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	ow5dirasuek.com	udp
US	52.34.198.229:80	ow5dirasuek.com	tcp
US	8.8.8.8:53	229.198.34.52.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	10.28.171.150.in-addr.arpa	udp
FI	193.166.255.171:80	lousta.net	tcp
US	64.225.91.73:80	mkkuei4kdsz.com	tcp
US	8.8.8.8:53	252.15.104.51.in-addr.arpa	udp

Files

memory/3912-1-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	053b729e78affbb4bd339dc79a4de862
SHA1	b04fc3bf6278e1c246d9eca096369d8f70d5a94b
SHA256	29f31b0d523c5160b99363ea7f812f4402ee9f92ee3bb3879dc875eb15af10b0
SHA512	f4f94e7927cd741282ce3b5b46e26f6730441f60b83d5b757e97572dc21b2ce3315ca717837dcc5fc79edc1c55b136a848de6c112e524cd94d1829bf4989494b

memory/4704-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4704-7-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4704-13-0x0000000000400000-0x000000000042D000-memory.dmp

memory/4704-14-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Windows\SysWOW64\omsecor.exe

MD5	85e991dfa229d1a5a00b26e9a55f8d12
SHA1	da5b7b773a04e3af90b30efee7f198b96e287013
SHA256	7056851890c654ce41964c915d13a0f2e58c2622432497968db92c38856e6a22
SHA512	0ad829ede33e341119d40b5bb655368e1a30f82121e4bc22bed48c0f1bed321ea2d0a6b8db486f83870c309575d3e48a67f4fde9c17a34ade064b0b4fa1c3362

memory/4704-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3156-20-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5	f67f04fc093d3ca607cda966e2f32efa
SHA1	5c84659a194dbd8040ecfdd72aaa9ff5093b57ac
SHA256	2f0947889e7c2eb35854d314acac264698a957477c8f5d8939bd5a452f216cae
SHA512	7b7936919a131038684e180302b4c304fece885358fbef30afd9235e26beb41cbff2b75303384c8163dbfe06ee4ffadfcccee0796778b4c1051dfdf930588879

memory/3156-26-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2788-28-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2788-29-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2788-32-0x0000000000400000-0x000000000042D000-memory.dmp

Sample ID	240622-l6jpdaxdpl
Target	906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d_NeikiAnalytics.exe
SHA256	906ba3abcc08f25d316ab851b62692d0303a14fac89042f83571b149b060b01d
Tags	upx neconyd trojan

Malware Analysis Report

2024-09-11 08:30

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files