neconyd | 8ea59449327a1abe5366a889f684664c872328cf782457a5b9b323798dd40f80

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe
Size

64KB
MD5

78a00d09b80a4ee1833b7a76bdba0016
SHA1

4a0570172e773189df3d5e9965a3f140555353ff
SHA256

8ea59449327a1abe5366a889f684664c872328cf782457a5b9b323798dd40f80
SHA512

a934a46b355d9b1447e3682d5dd123c621946bf9126c7682f9f110efff3c3bdabeb585a5e67b1668e3a9ca48f793b639f282ea7f7614d0b9ba55c5202c330580
SSDEEP

768:HMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:HbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd

Executes dropped EXE 3 IoCs

pid	Process
3048	omsecor.exe
1240	omsecor.exe
1436	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2980	78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe
2980	78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe
3048	omsecor.exe
3048	omsecor.exe
1240	omsecor.exe
1240	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3048	2980	78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3048	2980	78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3048	2980	78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe	30
PID 2980 wrote to memory of 3048	2980	78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe	30
PID 3048 wrote to memory of 1240	3048	omsecor.exe	33
PID 3048 wrote to memory of 1240	3048	omsecor.exe	33
PID 3048 wrote to memory of 1240	3048	omsecor.exe	33
PID 3048 wrote to memory of 1240	3048	omsecor.exe	33
PID 1240 wrote to memory of 1436	1240	omsecor.exe	34
PID 1240 wrote to memory of 1436	1240	omsecor.exe	34
PID 1240 wrote to memory of 1436	1240	omsecor.exe	34
PID 1240 wrote to memory of 1436	1240	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78a00d09b80a4ee1833b7a76bdba0016_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
f08f746a53a15629e6621da734f580e7

SHA1
72446406f35a5ac1a9cf4e6429bc43f4b1e1017f

SHA256
b810cd1c50457f062bc520961fddc8ea8a50203b75fcd03175aecf7eafc0b6ff

SHA512
90fca2bb48398583f5994eefa987e4e59649082e7d9989c7e9d7e4ab84aed1cf84875cb54dce6448405e6bd9b360eba692cba7898943aa311a620b3e06d8aa0a

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
78a00d09b80a4ee1833b7a76bdba0016

SHA1
4a0570172e773189df3d5e9965a3f140555353ff

SHA256
8ea59449327a1abe5366a889f684664c872328cf782457a5b9b323798dd40f80

SHA512
a934a46b355d9b1447e3682d5dd123c621946bf9126c7682f9f110efff3c3bdabeb585a5e67b1668e3a9ca48f793b639f282ea7f7614d0b9ba55c5202c330580

Download Submit