neconyd | c563c39bb2f300dc9dfa5c0b2fc266072a5c96ffc6f56b92df9d2f2dbd702868

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe
Size

63KB
MD5

fcfeb20e420471971457ba0b64e0b55b
SHA1

6d601d4939f0fcbb33add732bd232d9051764edb
SHA256

c563c39bb2f300dc9dfa5c0b2fc266072a5c96ffc6f56b92df9d2f2dbd702868
SHA512

869d3c30ca03bc2abb4b459673fc762149e6bf3fb0c4be858a63d16b92d4fa1c56891cd39a3d812120a309f9ebe76d182ec75c7942ba10a8396e3cf2b96c20fe
SSDEEP

768:vMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:vbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4896	omsecor.exe
4816	omsecor.exe
1132	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4896	1804	fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe	83
PID 1804 wrote to memory of 4896	1804	fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe	83
PID 1804 wrote to memory of 4896	1804	fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe	83
PID 4896 wrote to memory of 4816	4896	omsecor.exe	100
PID 4896 wrote to memory of 4816	4896	omsecor.exe	100
PID 4896 wrote to memory of 4816	4896	omsecor.exe	100
PID 4816 wrote to memory of 1132	4816	omsecor.exe	101
PID 4816 wrote to memory of 1132	4816	omsecor.exe	101
PID 4816 wrote to memory of 1132	4816	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcfeb20e420471971457ba0b64e0b55b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
e0a27cf3e511ae6e91d09bc414731769

SHA1
6fdbc766c793529ad42e371c743c832fb5d7c14b

SHA256
768a06cb7d2941550f1d8507d4e8945b685ca6ee6a4efa1729a35c1d0d958a1d

SHA512
21658fb94ab6b67b067cbd9b657ff1d69a185701dd5472781712486d1d23d90398ff49bcb6529e4baa7faeaac023952e21125aac50bc20bd2c46448d047916b7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
4074132e19454f0345fa6d538f640353

SHA1
b3054958ea95ccc8154152d772fd81ab409c5cd3

SHA256
54186f4815882e56c9a90af9c9ec3ecaae59904227feaaf76aa6b20ce67ebb23

SHA512
6393b76f484d691b75063ce4bc4ff2ce8f0f384ead2170768288b34f71c36152972ab1edbabdcff2c166ab72a8fa3cab2b2358470dd809f9d247023f60edc2a7

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
40dfdca51653eb50e4c1ad5ed47c7747

SHA1
f66258c8acad6f3c575e5ab5e426572ef910383c

SHA256
ec92f58a01d4fbba028ed2b0f7fd035b8744692352bad753d313ebdf0c813daf

SHA512
40feaedb4f9a833f1b044cacff8225cbe331815737b5351aa625b6eab7e28ef1363b422dd92bab50e569ac615c0e028a90de6995362d3049aff0f9418daaaecc

Download Submit