Malware Analysis Report

2024-09-11 08:28

Sample ID 240622-z4qa2avbla
Target 0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe
SHA256 0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183

Threat Level: Known bad

The file 0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd

Neconyd family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-22 21:16

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 21:16

Reported

2024-06-22 21:19

Platform

win7-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1732 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1732 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1732 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2268 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2268 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2268 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2268 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 752 wrote to memory of 1588 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 752 wrote to memory of 1588 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 752 wrote to memory of 1588 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 752 wrote to memory of 1588 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 20cec8d9a8c0d9566581a6049555e88c
SHA1 b21ddbd78f19446a45602cba5e8da473ddfeec52
SHA256 836748abdd43bbc0fcb4e53189e448f854f8e173042881223d07a26c6f9f6012
SHA512 54f6b888827b812c807eb4e049f468ed28c6aede15432669dbaabbc22b6df3573c7fbcd9106b19d85acfcbc28b8da440067d518d2a2da1ea2ce484471273b703

\Windows\SysWOW64\omsecor.exe

MD5 edcaeb146b8bf2cf638a41194bbb3a0f
SHA1 9f2f5fa4d34013988387b1292f4526bf4239f2cb
SHA256 91f4c813f46d4e32f2be6dfa998d0008ad23b64d58173a91dfc5eab596c0c38c
SHA512 a2b2a8722df8dc0bd58041d705ea2b485f07f935ad453572c6045da0c924f1ea69b591420251267b22658d32066e4815750ba3e0246ed8ab7e655a54bc623f41

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 db2f4b41b3090e6328cb759c07324621
SHA1 37eaee71559380506cba34cda93a954704997ff9
SHA256 7cab05c0927bc2825febc8af1b66c7035468d1b1e4e2ca51a752fdf602c4108d
SHA512 814ae5817bf0a078a04032cd49ee7ed4e258b3ce43c7acc779bbdbc65464d3332e078aaaa46dd9317e24ff0f118b5adb94e3828f81e3f261dacefdc630660d86

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 21:16

Reported

2024-06-22 21:19

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3800 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3800 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3800 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 4900 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4900 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 4900 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 712 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 712 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 712 wrote to memory of 1484 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\0e4f0c30804fe0165e9b746a644581511d403f24c725e4ac318b95a05d8e6183_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 20cec8d9a8c0d9566581a6049555e88c
SHA1 b21ddbd78f19446a45602cba5e8da473ddfeec52
SHA256 836748abdd43bbc0fcb4e53189e448f854f8e173042881223d07a26c6f9f6012
SHA512 54f6b888827b812c807eb4e049f468ed28c6aede15432669dbaabbc22b6df3573c7fbcd9106b19d85acfcbc28b8da440067d518d2a2da1ea2ce484471273b703

C:\Windows\SysWOW64\omsecor.exe

MD5 17e4861e9d60bd8ef386c8e8e55623fc
SHA1 7ae0cdbbb3a225601c4397c6194c552b2ca05fbc
SHA256 026597c6485517259b97a0c2202431b8341cb0458fbf0760ad844dae1b0b0e56
SHA512 f7704b6fbc6fdce9f79a5df8f67c813dc4e198d4449aaa170bb62b836f15758865ba429c1d48c3d365a7e2154918e21481695b1c6a04dc05141c3ee99bb37f4c

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 f7adb74285286b8e3cb75a92c3fb2355
SHA1 6c0aa340c27b612ae3e8ed874017216175b6713c
SHA256 8e0887a4dd13cea8ac441f7bb4ba7e8fa60c20cdfd77116cabda6703b6468950
SHA512 04acfcbf8798937a4b0adb64ff2951865a6f88bc596d0e5aa629823030a0c4f933b03725e0394ec66d1869599f5b7c0c2c686a3a57468577dc0225492a9472b5