neconyd | 7c9e89c6d6226a5bbb0a4027211b230c847f293a3162d91841125bf0ad032ad9

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe
Size

4.5MB
MD5

436e36bd476b6662831dd96b96cd5c6a
SHA1

dd61328e0cab228cdb4462b721eb53714430c6d1
SHA256

7c9e89c6d6226a5bbb0a4027211b230c847f293a3162d91841125bf0ad032ad9
SHA512

7bbc4c3c96da786fff12ce04212f8aba415a7aa5926d3ce2e4b979ef062931f5e8b316a0b29659ababae3d6217914b461d58b2e6fadc986bf98550b712cd960a
SSDEEP

24576:u9Z9yn0hTZrIbAEu8CkB7mA5yupIIKQS9YRXT8HU/ny5U5DB:4KnuTZh8JUUyJCS9CXT8Enys

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2572	omsecor.exe
2228	omsecor.exe
1068	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2340	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe
2340	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe
2572	omsecor.exe
2572	omsecor.exe
2228	omsecor.exe
2228	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2572	2340	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe	29
PID 2340 wrote to memory of 2572	2340	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe	29
PID 2340 wrote to memory of 2572	2340	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe	29
PID 2340 wrote to memory of 2572	2340	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe	29
PID 2572 wrote to memory of 2228	2572	omsecor.exe	31
PID 2572 wrote to memory of 2228	2572	omsecor.exe	31
PID 2572 wrote to memory of 2228	2572	omsecor.exe	31
PID 2572 wrote to memory of 2228	2572	omsecor.exe	31
PID 2228 wrote to memory of 1068	2228	omsecor.exe	32
PID 2228 wrote to memory of 1068	2228	omsecor.exe	32
PID 2228 wrote to memory of 1068	2228	omsecor.exe	32
PID 2228 wrote to memory of 1068	2228	omsecor.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
ae14e282af0d303303bb65adec9dcbfa

SHA1
5db04faef0a00f181d4cd9aae956911365c3d49f

SHA256
843b1aa44f06473ef7d7216d571fa917fda03828b8bee3b9c4e10d74cca77aa2

SHA512
2edd122b1e6dffeb1b9954df948a96e8b6bcd89a4084ae9412b7166d15f04e7b73aff2ad6b10f72d91da9dcb6fdedc03780b3ea96acee3db2222f32e1ee39632

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
3c026476262e7bab37cdc0362b2e3930

SHA1
85a09d18d20764391e296fde6cdd46f5d9a7c7d5

SHA256
c7cb4b3e38cffa4e4a3c5a4edee5794b3413d9643b04d2fd78f6b21106f3c959

SHA512
2719fb20f8af7296c1c7d0ab4a62200ff4ca9c4a7de33db744d2c788c4d32da2f7d71ab10b205e53bfddfdbaa91e70eb4beb79315bf90f4251e36f805c5b3183

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
4.5MB

MD5
a51219f296df503219660d805e27f091

SHA1
f86a5792aafb4391914916b97e33c53ef6ada427

SHA256
6c8a521277bfd8f96f37c951eb005ad68d7fe6989801025a34b5a2979ca8ee14

SHA512
681ef21b81ef8dfd265dc42cb8f6e5e00de84aed9d61abbbf0afe6bb25d074395176d5c9484b6f74cd4d63619a6af7dc02af04dde200d638313dd8609cf1beea

Download Submit