neconyd | e02d49e4242298fedc41b5bdb95388618d6534d63e46b3ea4aba0db5b912a276

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe
Size

63KB
MD5

9250c7bbf886686409b6a069ff4b5ea3
SHA1

b401f388b3f3eef6b73e078bcbfb085cfa717989
SHA256

e02d49e4242298fedc41b5bdb95388618d6534d63e46b3ea4aba0db5b912a276
SHA512

56a5740fc881ae95a63f56f637491370569d1153720ccd6662c6e9df391b11f8c6b928aa75d59b802fe4dd0219cd4f93dac61d35981899193ea5c5c149c43e19
SSDEEP

1536:0d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:MdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4792	omsecor.exe
1760	omsecor.exe
1692	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4792	4976	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe	83
PID 4976 wrote to memory of 4792	4976	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe	83
PID 4976 wrote to memory of 4792	4976	9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe	83
PID 4792 wrote to memory of 1760	4792	omsecor.exe	93
PID 4792 wrote to memory of 1760	4792	omsecor.exe	93
PID 4792 wrote to memory of 1760	4792	omsecor.exe	93
PID 1760 wrote to memory of 1692	1760	omsecor.exe	94
PID 1760 wrote to memory of 1692	1760	omsecor.exe	94
PID 1760 wrote to memory of 1692	1760	omsecor.exe	94

C:\Users\Admin\AppData\Local\Temp\9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9250c7bbf886686409b6a069ff4b5ea3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
ad81bae3e66882f32c1bf4e8416a377a

SHA1
794f2c733cc24c1c81bf463d2c1ea4d0abb562ce

SHA256
676096c79e12654732df7d68590b7307fe6c38bc234a0e79fc3dc138e08e2b66

SHA512
3704d3449cc50155cd75c13413504724d89841156692563f5d220bee885639a051f3cef3c0df9e5975e1df70770a79fc4c2a693089437a53fce2c58e0c1c2b82

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
e714653a0a896121da2ec2db943e029b

SHA1
89e2c57096b8dc669133bc179a5bb15b626da191

SHA256
c4c2ff8d778c822c943c964bf282b48eb23281458ecc0ae4d1902e3ff61cf2a6

SHA512
b45d3ebe6d519aa043171e668883b65ebdfb62930b57bbbbc44e3ebafca647e0b6c351483dba9f5d9d7307b2f4aafa9807c3b173f0df74424ea38c2bc48758e4

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
2b674da08b055dcc41d2b4430b673702

SHA1
f21bc59bb853b9cb7a3990244d1aef052360c64c

SHA256
a7ff13c30760133feff7659397ba4a3ec44a0f9976b6357b263bde6816512946

SHA512
7e10039477d2b2092a523088feca81398cd24981a72f13943a2e2a91987d7872e40bba4b7ac1596d49627c6d5156158f9ab9bd02ab861b70c06721d913bb309e

Download Submit