neconyd | 48297065c2b56eaca211176d55289b5b49615368df11b2ee4a7460d4fa5e79da

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe
Size

64KB
MD5

3a09ced05b49b33362bc0c9a6df6551a
SHA1

a68a064362d1b6c0e8f6e6fe0de0486ca93a8f03
SHA256

48297065c2b56eaca211176d55289b5b49615368df11b2ee4a7460d4fa5e79da
SHA512

d947bf1a175fc88fbab905237273aac3bb8181305a2207ae460a832e1379007bdf91e92fb40ef192d39a494a6eb615857d6cb9de25dd884c543be31e61a651b3
SSDEEP

1536:Md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:0dseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2316	omsecor.exe
2624	omsecor.exe
3016	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2856	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe
2856	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe
2316	omsecor.exe
2316	omsecor.exe
2624	omsecor.exe
2624	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2316	2856	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe	30
PID 2856 wrote to memory of 2316	2856	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe	30
PID 2856 wrote to memory of 2316	2856	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe	30
PID 2856 wrote to memory of 2316	2856	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe	30
PID 2316 wrote to memory of 2624	2316	omsecor.exe	32
PID 2316 wrote to memory of 2624	2316	omsecor.exe	32
PID 2316 wrote to memory of 2624	2316	omsecor.exe	32
PID 2316 wrote to memory of 2624	2316	omsecor.exe	32
PID 2624 wrote to memory of 3016	2624	omsecor.exe	33
PID 2624 wrote to memory of 3016	2624	omsecor.exe	33
PID 2624 wrote to memory of 3016	2624	omsecor.exe	33
PID 2624 wrote to memory of 3016	2624	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
ffc1c13fe8741007919d6a397f33eaf4

SHA1
31e00a95f772cd27d9088017f7ca32076ed7a1d0

SHA256
12e61e37cb0957e8ce1949035bd864fffdd09adba0fb5115a19ad64da86f6448

SHA512
eb4bf4b36244e65923e443b07ac86a2b8100973c441900418a791642c0bfd3ccb38704ec120e02926e90b730a5dbb488e0660092ef6e944840ab8454e0fff144

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
7623ea02a3fc458ad0270afaad7a8621

SHA1
e8d0fb387dc6ec0bbfad0e7a26713c9e76dab9eb

SHA256
cbd1b940b1f9a0a155218d927bc902a52d44b33fc9e319dbc1ee5d0c47ff99ac

SHA512
2f8e6f73e667f3e14e13be66c0b97cea6c1eb5b8a9e8e8cc5351f6e579f68db7bb019d58ed483734d90971fddf0d6ff54fb753f57bc84ada584bbefac2e8a601

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
bfb68df752ca380f77d7eb4f1d0daabe

SHA1
b6308dc39987590d77638b1141251e81faae5a1f

SHA256
c7cd94b422cafc8db1e4a7c4e368302bb8fecff09ff3ec8418f3823066523f13

SHA512
a6ee69889e2c547d839af43752504193dce582cc5a0dbf3a7b2780dfd7a424eaf331be6854ed94b1ea7ca59ba1500308517aad8c6815bff5302a4120e49f1e2b

Download Submit