neconyd | 48297065c2b56eaca211176d55289b5b49615368df11b2ee4a7460d4fa5e79da

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe
Size

64KB
MD5

3a09ced05b49b33362bc0c9a6df6551a
SHA1

a68a064362d1b6c0e8f6e6fe0de0486ca93a8f03
SHA256

48297065c2b56eaca211176d55289b5b49615368df11b2ee4a7460d4fa5e79da
SHA512

d947bf1a175fc88fbab905237273aac3bb8181305a2207ae460a832e1379007bdf91e92fb40ef192d39a494a6eb615857d6cb9de25dd884c543be31e61a651b3
SSDEEP

1536:Md9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:0dseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4384	omsecor.exe
3104	omsecor.exe
5016	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 4384	1108	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe	83
PID 1108 wrote to memory of 4384	1108	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe	83
PID 1108 wrote to memory of 4384	1108	JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe	83
PID 4384 wrote to memory of 3104	4384	omsecor.exe	100
PID 4384 wrote to memory of 3104	4384	omsecor.exe	100
PID 4384 wrote to memory of 3104	4384	omsecor.exe	100
PID 3104 wrote to memory of 5016	3104	omsecor.exe	101
PID 3104 wrote to memory of 5016	3104	omsecor.exe	101
PID 3104 wrote to memory of 5016	3104	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3a09ced05b49b33362bc0c9a6df6551a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
ac01dc813efffc1111b079ceb8eb6316

SHA1
e4808a06de007043e6a9e817d64138ef852749e3

SHA256
1826845b8b43867a1176ab09c60a6b9f66bf1f1084cb9ba10491f120e819e640

SHA512
b66e81105534dee8b41a00b51585d6ade0134eb464b5f9a7c290ad986ef654561fdff852ce197ea2275c9de089f834f818efdd68b08a5c600291e835c34f2fda

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
ffc1c13fe8741007919d6a397f33eaf4

SHA1
31e00a95f772cd27d9088017f7ca32076ed7a1d0

SHA256
12e61e37cb0957e8ce1949035bd864fffdd09adba0fb5115a19ad64da86f6448

SHA512
eb4bf4b36244e65923e443b07ac86a2b8100973c441900418a791642c0bfd3ccb38704ec120e02926e90b730a5dbb488e0660092ef6e944840ab8454e0fff144

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
dccc2fdc73280434e99256efca649f1e

SHA1
84b19cbfa29809f9dcdede51a74d256a1883c558

SHA256
9d1631392d4d3166945691980760b082160a47faff853e34e541ecd12030b005

SHA512
0e327c45c755d7170fd6d80b543158033d5a1ebb19ccc3c2214322d924c3af7174fa518e773bd5a2ecec27cb5e84581af92de3b5cff7797adaf129b9ffbd36f0

Download Submit