neconyd | 0747ab87d632ad73f25b7a5e714402e65957476e01d151c0979bbff69235a5b3

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c546daa6b3345e7144690000adda9783_JaffaCakes118.exe
Size

63KB
MD5

c546daa6b3345e7144690000adda9783
SHA1

8e895ef5b4d40ad81d2af815c2f801bf0a90e84f
SHA256

0747ab87d632ad73f25b7a5e714402e65957476e01d151c0979bbff69235a5b3
SHA512

38d65bf278a56dc284a611978adb1e2278dec4960f37a87b3ab0d4bd527bdeffb3d9802edb05f45ec6a8b62780fe3def3a1feb492fdac24ee6427fa8a1dfb696
SSDEEP

1536:9d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:1dseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2052	omsecor.exe
3028	omsecor.exe
1904	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2100	c546daa6b3345e7144690000adda9783_JaffaCakes118.exe
2100	c546daa6b3345e7144690000adda9783_JaffaCakes118.exe
2052	omsecor.exe
2052	omsecor.exe
3028	omsecor.exe
3028	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c546daa6b3345e7144690000adda9783_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2052	2100	c546daa6b3345e7144690000adda9783_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2052	2100	c546daa6b3345e7144690000adda9783_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2052	2100	c546daa6b3345e7144690000adda9783_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2052	2100	c546daa6b3345e7144690000adda9783_JaffaCakes118.exe	31
PID 2052 wrote to memory of 3028	2052	omsecor.exe	33
PID 2052 wrote to memory of 3028	2052	omsecor.exe	33
PID 2052 wrote to memory of 3028	2052	omsecor.exe	33
PID 2052 wrote to memory of 3028	2052	omsecor.exe	33
PID 3028 wrote to memory of 1904	3028	omsecor.exe	34
PID 3028 wrote to memory of 1904	3028	omsecor.exe	34
PID 3028 wrote to memory of 1904	3028	omsecor.exe	34
PID 3028 wrote to memory of 1904	3028	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\c546daa6b3345e7144690000adda9783_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c546daa6b3345e7144690000adda9783_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
6ae3b2f9a3ded27aaffc5bf038063f82

SHA1
efcf725cf0154a8a382a0633c6a56f6636f1bd4f

SHA256
d77aacd76727ab697a539cbe3aa88b5f928df6feaa1e7517e75c31f1ad2cee35

SHA512
21695c4d52e65fe880412cd9bb76df4bc10871431a34debfa8648fe42736c3143d4c9f94b61754ee9867fde4465c332e19de2a6fbef7204d29fc2fe5f93b9d3c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
265a2f602f730830001bb833cb82781c

SHA1
e67df43959a2789a43069188573f1ddf8b0cf552

SHA256
08b19b1873208d6006fab3f7df98800f6838171cddbf3facb43867eead0140f5

SHA512
be53ea14aa441b6c2297bad5abdb3206400555f415d3dd57b733b8e694172313620278c1fbaf08f854ad44a1ebe5c277780da04c49fb6f8efa8117c2a8888012

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
0634f19c0aec4621852848a1bd02a75a

SHA1
dbeabe5e9025cc76dab107ef99d03cb04ed5ba11

SHA256
8baf524e45f412ee4c6ffb5dec9ede6838d5aedb920326699aa3b67bbb3cb224

SHA512
c7ea02eca01a49b90a7491fd225c9c93e936a3635418de99ca049e3abf02f8b335924f1f20e23a6dbd481df6ad96fbcc9d21db6084bde346c6a609eec2805ef0

Download Submit