Analysis Overview
SHA256
6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6
Threat Level: Known bad
The file 6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Neconyd family
Neconyd
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-23 12:18
Signatures
Neconyd family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 12:18
Reported
2024-06-23 12:21
Platform
win7-20231129-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
memory/2264-0-0x0000000000400000-0x000000000042B000-memory.dmp
\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e0b8cf155fa7b36155ed15cec0ab2c9d |
| SHA1 | 8019ecf3a5a1e109d3c08d40af57da66928980c9 |
| SHA256 | fbc6ac2db862e5b96186d89f9a8cfd69e0c5c473626c18743a37dc1327baddbf |
| SHA512 | cf5e0670ec2d65fc7f5b5b429ef296b8d2b1f69738c63b2ee4c99a0080bac1fedf1a2b5d3c6e37d80797d99c08a9933cbb1c44c596bb259cfb47c226ae18a87b |
memory/2264-9-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/2264-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2264-8-0x00000000001B0000-0x00000000001DB000-memory.dmp
memory/804-13-0x0000000000400000-0x000000000042B000-memory.dmp
\Windows\SysWOW64\omsecor.exe
| MD5 | 4d98e31f7e20b761292e92407c52dcfb |
| SHA1 | d4aedddc499236112fb165f53cab5e634f2632ba |
| SHA256 | 321d42c13e77a827f5695bde2ef680e7ce1e94d26fe98ca32888f33916845f89 |
| SHA512 | c1737326a2c6dbaedc40d5660958ecc3064b38d2e9bebde21659ece42401bb998d8ede11c0e4d9499256216fc0bb3c3864527e08c370bab8bf7430aa9e67c3a2 |
memory/804-18-0x0000000000280000-0x00000000002AB000-memory.dmp
memory/804-25-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | 41f9fd8198142d79df0e234628aa2fab |
| SHA1 | 4f9f321a0f247f0a9ddf416865392b0bb68a4d01 |
| SHA256 | a57a26af3eea1f03eb7f5fb338e15defb1a54f1449febff9916413ae2f9d43c9 |
| SHA512 | fae52000d1e407d17edb889ff80c4e6f10dcd66b11456dbcd97abae587882161fd69fb42e7841edfe16b09cb72f9f3a6aafd0d3abec29a472b6ae4329713754e |
memory/1940-36-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2556-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1940-38-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 12:18
Reported
2024-06-23 12:21
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Neconyd
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\omsecor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\omsecor.exe | C:\Users\Admin\AppData\Roaming\omsecor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6cb4cf95755434b530b0b45ba0ebd0842a3c381cbdb80750c9e4f3c6e3fcf4a6_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1276,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
C:\Windows\SysWOW64\omsecor.exe
C:\Windows\System32\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
C:\Users\Admin\AppData\Roaming\omsecor.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lousta.net | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mkkuei4kdsz.com | udp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.91.225.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ow5dirasuek.com | udp |
| US | 52.34.198.229:80 | ow5dirasuek.com | tcp |
| US | 8.8.8.8:53 | 229.198.34.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | lousta.net | tcp |
| US | 64.225.91.73:80 | mkkuei4kdsz.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e0b8cf155fa7b36155ed15cec0ab2c9d |
| SHA1 | 8019ecf3a5a1e109d3c08d40af57da66928980c9 |
| SHA256 | fbc6ac2db862e5b96186d89f9a8cfd69e0c5c473626c18743a37dc1327baddbf |
| SHA512 | cf5e0670ec2d65fc7f5b5b429ef296b8d2b1f69738c63b2ee4c99a0080bac1fedf1a2b5d3c6e37d80797d99c08a9933cbb1c44c596bb259cfb47c226ae18a87b |
memory/1424-4-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1424-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2716-6-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2716-7-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\omsecor.exe
| MD5 | 2321b7433af3ee864e3a4f53df750bc6 |
| SHA1 | f1d4389944e617b5a672a7723651b5574611f079 |
| SHA256 | 9cd26245f867a95ca61d98ac9912d09cc357c8438fcfda8b15581e7cb91e1f5f |
| SHA512 | fdb7480aed5e761fef3f6808f810cd5ff17060dc6a0f573001d9fe2f71d74f949c3ac94ae7add8fb16fbd8372e587b3e3d479f8c53462dba6a55824b1e076eaf |
memory/4844-12-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2716-11-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4844-17-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Users\Admin\AppData\Roaming\omsecor.exe
| MD5 | e3807c1088b20497fc32a34d9ab3a824 |
| SHA1 | c31e9b84cd5a800770524ea9a6e2a358f359876b |
| SHA256 | 75b118e23ffd386607259f80194bb5c796f30fe1e1b78d661c6accf61b5fe8bd |
| SHA512 | 47218e24d83f36e269159cac6b0005cd17f684a3434734dbc3b3b22162578a77d9df9aa09a3a3b3f9f1c0c0b5b5984d9c27d897ff9a5dff2de6d063319ea803a |
memory/2992-19-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2992-20-0x0000000000400000-0x000000000042B000-memory.dmp