neconyd | 9d49b6090471b8ed06adc1cd2efb147481f473df7e2c4d596ac731ded35027fd

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe
Size

64KB
MD5

3bf16a21a8e0a406d5976f856dcf1dec
SHA1

5db1e8473896729151dfe31e481417c4ea0e5738
SHA256

9d49b6090471b8ed06adc1cd2efb147481f473df7e2c4d596ac731ded35027fd
SHA512

c143ab45c56baa6149231d31ad246c5d17363c1410bd178a683d9a75833840bee95d4f9e3f91411bbe2725e40e9cef471c1f950364b74eea19edcbde6d97e1b0
SSDEEP

768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:MbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1044	omsecor.exe
1312	omsecor.exe
944	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2452	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe
2452	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe
1044	omsecor.exe
1044	omsecor.exe
1312	omsecor.exe
1312	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1044	2452	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe	31
PID 2452 wrote to memory of 1044	2452	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe	31
PID 2452 wrote to memory of 1044	2452	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe	31
PID 2452 wrote to memory of 1044	2452	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe	31
PID 1044 wrote to memory of 1312	1044	omsecor.exe	34
PID 1044 wrote to memory of 1312	1044	omsecor.exe	34
PID 1044 wrote to memory of 1312	1044	omsecor.exe	34
PID 1044 wrote to memory of 1312	1044	omsecor.exe	34
PID 1312 wrote to memory of 944	1312	omsecor.exe	35
PID 1312 wrote to memory of 944	1312	omsecor.exe	35
PID 1312 wrote to memory of 944	1312	omsecor.exe	35
PID 1312 wrote to memory of 944	1312	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
75b06a6834cfc813f96fb04836f759e7

SHA1
f3bcf9d0710592542d79da270ff2af374abd38a8

SHA256
c26e3b2120709a6d7f7871b40e77de93c44dd764aca4e84afb28625ccbf78cc7

SHA512
cda5cc9055271e25af1de02f82a33078a7c30ec6c3563a532b26e02215f0659838e7d543023215297a53243e7f7e28e7fbef586a70df5046c960ce0b7b7839dd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
1b34cb1c2aba05590742d9ba63ad44d1

SHA1
1bd408ccc9f394fb37427d2b874290068ac9d90e

SHA256
a0886a46c60bc4efc007ec1f66c6011ad01189417e20da52f5a1cc551c9e1677

SHA512
f20758f3516df413847099f91710eca7b5a1be802b321e2a6ec349f548fdfacf9a803bd4664b8ec460fa3bec8773651c96a4f67a5c7c6aa64d294d5a00dd4fb0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
2aff6fb6eac7c447c4a5bee8a9563c26

SHA1
9e11f122719db2b278f9e74ba52d3ec5f6c16975

SHA256
872a75f2227d1a7da93603c7e70d316c291f9724bdbc0ccbd0e72a40b4235d2d

SHA512
74846a75a18cd180b69817314c52d5c2d6a26c1002c020da7897a48acf6c4e759df81bb69471bac66e38ce7e8a37cff8c9327bd8187523e1fdd8e6eacfd61189

Download Submit