Malware Analysis Report

2024-09-11 08:30

Sample ID 240623-g7hq9asepb
Target 46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe
SHA256 46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7
Tags
neconyd trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7

Threat Level: Known bad

The file 46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

neconyd trojan

Neconyd family

Neconyd

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 06:26

Signatures

Neconyd family

neconyd

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 06:26

Reported

2024-06-23 06:29

Platform

win7-20240221-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2964 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 280 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 280 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 280 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 280 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 2884 wrote to memory of 2388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 2388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 2388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 2884 wrote to memory of 2388 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 64.225.91.73:80 mkkuei4kdsz.com tcp
US 8.8.8.8:53 ow5dirasuek.com udp
US 52.34.198.229:80 ow5dirasuek.com tcp
FI 193.166.255.171:80 lousta.net tcp
FI 193.166.255.171:80 lousta.net tcp
US 64.225.91.73:80 mkkuei4kdsz.com tcp

Files

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 88f5bcd0a95d2b9abcb834cd1126afe5
SHA1 3779fce0e9c9742682c1318ae1c6d3ce52dd4fb9
SHA256 fc9b055373959f3c4f21bc04956b085da1b2e14748ba0fc1261b5b4462738d5a
SHA512 361486618c3bcbd672cdc1c111d9d20b181bcaf6f6e9d46f321f5f9d82a0cbf31f7f4341698e95652f427219106b24d6f8fb43a11756dec9793b226b7114aa37

\Windows\SysWOW64\omsecor.exe

MD5 48ee3f07550be1baaf3ecf20a5586e75
SHA1 9f78bc54d772519952d9987392bb76c15d516be3
SHA256 739de06f23c7890ccb8c0e3d330f57bef3a0186fa1e513a9beaeb84651009362
SHA512 c6a59e6779967cea0bc40b22d212a570a357d717e2b3b7e3be3bebd293d1a2dae3e65adf75fa5fa14037e2fe2def08bbb1385c7c518d695149406f5a18e0e4a9

\Users\Admin\AppData\Roaming\omsecor.exe

MD5 adb0f97ab033548161804886fe43e028
SHA1 ced84eada68e025879b1b534cdfcabd715b13c68
SHA256 57e7708172edee82afe4c33b5fccae52eb05d5691722c7cbd98cebe5565bf569
SHA512 33a44f8f3d2f1f58b86a96ab07b2f69a307a950e8aabe5d00967171d72248ac49d4011ef9edc9aace8fd24ce7c8e14c6167d3fab43840690fc1d4aae1faba3db

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 06:26

Reported

2024-06-23 06:29

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe"

Signatures

Neconyd

trojan neconyd

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A
N/A N/A C:\Windows\SysWOW64\omsecor.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3772 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 3772 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 5076 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5076 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 5076 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\omsecor.exe C:\Windows\SysWOW64\omsecor.exe
PID 1540 wrote to memory of 640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1540 wrote to memory of 640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe
PID 1540 wrote to memory of 640 N/A C:\Windows\SysWOW64\omsecor.exe C:\Users\Admin\AppData\Roaming\omsecor.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\46cd62a07513f34a9eae609f2b1c3af92f58306b5d8e65512d1bdf45bd8c98c7_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Windows\SysWOW64\omsecor.exe

C:\Windows\System32\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

C:\Users\Admin\AppData\Roaming\omsecor.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 ow5dirasuek.com udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 lousta.net udp
US 8.8.8.8:53 mkkuei4kdsz.com udp
US 8.8.8.8:53 ow5dirasuek.com udp

Files

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 88f5bcd0a95d2b9abcb834cd1126afe5
SHA1 3779fce0e9c9742682c1318ae1c6d3ce52dd4fb9
SHA256 fc9b055373959f3c4f21bc04956b085da1b2e14748ba0fc1261b5b4462738d5a
SHA512 361486618c3bcbd672cdc1c111d9d20b181bcaf6f6e9d46f321f5f9d82a0cbf31f7f4341698e95652f427219106b24d6f8fb43a11756dec9793b226b7114aa37

C:\Windows\SysWOW64\omsecor.exe

MD5 8be4323ed0bfedce391dd7b704106ed4
SHA1 65141543590b2a64ef8df932b63da0fd44ae8aef
SHA256 7524aa9fcaf7b088f6cf1d91055bf0db5d5e9b3ef7ce4cca0a80be822e019c24
SHA512 ddcefdd83b224c09a95b11d5c28102e5aa6266e142c4cccdad0cfcac123aaffce3f40442aba38c9be4089cf304e0b7d10720419d32f0ad78e3f9d92e298bd1cf

C:\Users\Admin\AppData\Roaming\omsecor.exe

MD5 e7893a9efbc2d4624c29b2348fec2d3f
SHA1 f288d4e57afa7817e75bd0b3d5e753d29ba3a3f6
SHA256 c70b5a4f5ad7b4385b0bbf3acf9fc9eb2c8163d299bb9205d99dbb05f79e9578
SHA512 11438e2fe10dd2e8222756b96b8934693f2f4ebebd8be1b04f27d90e289525ba14a5e4a7c53071471862b72dfe9dc4d4167bac138c47648b1d7f4ae5c81a9d2e