Malware Analysis Report

2024-09-11 08:29

Sample ID 240622-z1tt2sydrq
Target 0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe
SHA256 0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478

Threat Level: Known bad

The file 0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 21:11

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 21:11

Reported

2024-06-22 21:14

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2972 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2372 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2372 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2372 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2372 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1664 wrote to memory of 2192 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1664 wrote to memory of 2192 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1664 wrote to memory of 2192 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1664 wrote to memory of 2192 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1f579cb6ec246797d619357918d94dc1
SHA1 8909f572b331c016e48d710a13cbfa6c03c84730
SHA256 aaf2007d1380e171c531273580a7b861d572ed6d7d9fc8de2b4ee2ba3c3c485d
SHA512 c6db89141435304bd5190332169f16bfa8663daabd4b924f1fad54d63565cf1195cc93e22ba136dd596600d51a9efad835c5064ddbaf5d540826409748526e82

\Windows\SysWOW64\omsecor.exe

MD5 e1be5add0a423daf2367e0506aa2e8f1
SHA1 ffa7852a3c5cc333825537f63e5757c307bb0bf7
SHA256 9c84e215420d235b01253d0ac84cac77fd4c8ae9c5f6d6173ddccb1833cd589f
SHA512 f13621b8db193ab4095060efda56411598e5b91ac2b0076957eabadd71eb814936e43914d52966d6fce42951fc467b20438b5bd273cbf3de70f17d59526e158a

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 3a95f40cbb305270beb37912633b5068
SHA1 5945fd6612316171bd825bc6011526bc00ae065c
SHA256 70b2b1f1baa39634ac3e63175ed960eed3edcc52751297bdde3d16e02f0f0241
SHA512 35eb1b80648f99cb355250101cde20551ab9b16a27f20fd1182ae6418f5dc70f7f65227b423198b27c684fbf88a2d2b53782a733e6bd83cc7c5f399e10b1183d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 21:11

Reported

2024-06-22 21:14

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4968 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1456 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1456 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1456 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2540 wrote to memory of 4024 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 4024 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2540 wrote to memory of 4024 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0dcdb75000f1eab9427acc03174b690461ef704fbeade202ebeb20a2463c0478_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 1f579cb6ec246797d619357918d94dc1
SHA1 8909f572b331c016e48d710a13cbfa6c03c84730
SHA256 aaf2007d1380e171c531273580a7b861d572ed6d7d9fc8de2b4ee2ba3c3c485d
SHA512 c6db89141435304bd5190332169f16bfa8663daabd4b924f1fad54d63565cf1195cc93e22ba136dd596600d51a9efad835c5064ddbaf5d540826409748526e82

C:\Windows\SysWOW64\omsecor.exe

MD5 d14341bada19283ed05367a2e0f281ef
SHA1 7c673c33d92e446f5861798300a5fffb700534f7
SHA256 d8cbd84bc1a3cfb6757a440a657f8c2b02c6f15ca2787c16d8a5ddfd136b2e2c
SHA512 9bbbfc55075f6a3f1514964510e28ce331fc298469495d69fe65461f701b138f7c08c23393ccdf51004fa1e65cd9d10600167a19bc2dbe41136b23b155dea296

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 5d0b367538587d32f436b0bf184b6b06
SHA1 8330ad65ec79c37aba94c669805942a010e4e266
SHA256 cf6974e415e0a7865cbbc9638e622b2e9699f35491c72488a26f46d67ba3e823
SHA512 c5a19fb4f26575476c7628dfc45880075ed705433b20732bd69258f5d6f72bc9fd6c0799466b4d539bb87543843ba9f905028b0ae20b4778909ec20a7a3ef58f