neconyd | 9d49b6090471b8ed06adc1cd2efb147481f473df7e2c4d596ac731ded35027fd

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe
Size

64KB
MD5

3bf16a21a8e0a406d5976f856dcf1dec
SHA1

5db1e8473896729151dfe31e481417c4ea0e5738
SHA256

9d49b6090471b8ed06adc1cd2efb147481f473df7e2c4d596ac731ded35027fd
SHA512

c143ab45c56baa6149231d31ad246c5d17363c1410bd178a683d9a75833840bee95d4f9e3f91411bbe2725e40e9cef471c1f950364b74eea19edcbde6d97e1b0
SSDEEP

768:MMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uAW:MbIvYvZEyFKF6N4yS+AQmZTl/5O

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3248	omsecor.exe
1532	omsecor.exe
4044	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 3248	3728	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe	85
PID 3728 wrote to memory of 3248	3728	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe	85
PID 3728 wrote to memory of 3248	3728	JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe	85
PID 3248 wrote to memory of 1532	3248	omsecor.exe	103
PID 3248 wrote to memory of 1532	3248	omsecor.exe	103
PID 3248 wrote to memory of 1532	3248	omsecor.exe	103
PID 1532 wrote to memory of 4044	1532	omsecor.exe	104
PID 1532 wrote to memory of 4044	1532	omsecor.exe	104
PID 1532 wrote to memory of 4044	1532	omsecor.exe	104

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3bf16a21a8e0a406d5976f856dcf1dec.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
30219299b4c3f963c9b3833d35218776

SHA1
561bb272711ad70f667e07177d77351ae3f9b9a2

SHA256
587fe2fe527b000b3980bd00dc5bb0bba316011282cf03adbcffdac7da63e704

SHA512
6b77dff39c6b92093d4a802db3cd4128053792913e70e9cf8fbebdc1c1a8df0fa3b5c62acc72850361836a181be3e112884213eadbfd7cf8d1a2aebdc4246012

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
75b06a6834cfc813f96fb04836f759e7

SHA1
f3bcf9d0710592542d79da270ff2af374abd38a8

SHA256
c26e3b2120709a6d7f7871b40e77de93c44dd764aca4e84afb28625ccbf78cc7

SHA512
cda5cc9055271e25af1de02f82a33078a7c30ec6c3563a532b26e02215f0659838e7d543023215297a53243e7f7e28e7fbef586a70df5046c960ce0b7b7839dd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
44be9a33f27eddc8534962b15416a60b

SHA1
72789b9bd75a3e0721c6efa6dbf7abefe29bef82

SHA256
05d939ae181bab3561ebfedd477caaf6e7d2c4cfa91e29027d664535bf3446c4

SHA512
3d76edcf3e8620966fb7c25893997a8c6d139710b9255919071ec340291f033dcddc7480c4fd993cf70c3e2cb3e4b2dfbb9ec6956ffff324ebc2bb6ccee5cc62

Download Submit