neconyd | e02d49e4242298fedc41b5bdb95388618d6534d63e46b3ea4aba0db5b912a276

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24/11/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe
Size

63KB
MD5

9250c7bbf886686409b6a069ff4b5ea3
SHA1

b401f388b3f3eef6b73e078bcbfb085cfa717989
SHA256

e02d49e4242298fedc41b5bdb95388618d6534d63e46b3ea4aba0db5b912a276
SHA512

56a5740fc881ae95a63f56f637491370569d1153720ccd6662c6e9df391b11f8c6b928aa75d59b802fe4dd0219cd4f93dac61d35981899193ea5c5c149c43e19
SSDEEP

1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:MdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2148	omsecor.exe
2732	omsecor.exe
1688	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2016	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe
2016	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe
2148	omsecor.exe
2148	omsecor.exe
2732	omsecor.exe
2732	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2148	2016	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2148	2016	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2148	2016	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe	30
PID 2016 wrote to memory of 2148	2016	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe	30
PID 2148 wrote to memory of 2732	2148	omsecor.exe	33
PID 2148 wrote to memory of 2732	2148	omsecor.exe	33
PID 2148 wrote to memory of 2732	2148	omsecor.exe	33
PID 2148 wrote to memory of 2732	2148	omsecor.exe	33
PID 2732 wrote to memory of 1688	2732	omsecor.exe	34
PID 2732 wrote to memory of 1688	2732	omsecor.exe	34
PID 2732 wrote to memory of 1688	2732	omsecor.exe	34
PID 2732 wrote to memory of 1688	2732	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
ad81bae3e66882f32c1bf4e8416a377a

SHA1
794f2c733cc24c1c81bf463d2c1ea4d0abb562ce

SHA256
676096c79e12654732df7d68590b7307fe6c38bc234a0e79fc3dc138e08e2b66

SHA512
3704d3449cc50155cd75c13413504724d89841156692563f5d220bee885639a051f3cef3c0df9e5975e1df70770a79fc4c2a693089437a53fce2c58e0c1c2b82

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
c6cba7a46fc1865ba001679e0fdfe667

SHA1
e019a18ed29ffec879ef78188d1bdd64a3ce223b

SHA256
14d5c258d8d53249a94173b2dcfd1fb3086bca2341485dc6e5f2592e39bca534

SHA512
c3ae59905c5e84944362a7a350ae48a4b31f7fa759c94a34e86e7ed50eed0d2f9aba153a0d4cedf65cddcb3a0a6511e4bc9ae9e48e6cc771b93508fa4552b586

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
d3fac304f9265adc4774e04dac13c58e

SHA1
96939f80e58e7f149a4d25f2cdcd8c6eaeff1b02

SHA256
d29379c54c294938a819a151a210c018057292e31d1861c11463ecafe0559cb9

SHA512
e4fd3f9971f7179855d8aab21712be284128f6650b6070dfe620c214a446258e4f44cf0f630c1187a5e4124b898ede6c8f5a42e8eba00389b0089b249271eea3

Download Submit