neconyd | 7c9e89c6d6226a5bbb0a4027211b230c847f293a3162d91841125bf0ad032ad9

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe
Size

4.5MB
MD5

436e36bd476b6662831dd96b96cd5c6a
SHA1

dd61328e0cab228cdb4462b721eb53714430c6d1
SHA256

7c9e89c6d6226a5bbb0a4027211b230c847f293a3162d91841125bf0ad032ad9
SHA512

7bbc4c3c96da786fff12ce04212f8aba415a7aa5926d3ce2e4b979ef062931f5e8b316a0b29659ababae3d6217914b461d58b2e6fadc986bf98550b712cd960a
SSDEEP

24576:u9Z9yn0hTZrIbAEu8CkB7mA5yupIIKQS9YRXT8HU/ny5U5DB:4KnuTZh8JUUyJCS9CXT8Enys

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
4644	omsecor.exe
3404	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 4644	3864	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe	84
PID 3864 wrote to memory of 4644	3864	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe	84
PID 3864 wrote to memory of 4644	3864	JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe	84
PID 4644 wrote to memory of 3404	4644	omsecor.exe	102
PID 4644 wrote to memory of 3404	4644	omsecor.exe	102
PID 4644 wrote to memory of 3404	4644	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_436e36bd476b6662831dd96b96cd5c6a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
ae14e282af0d303303bb65adec9dcbfa

SHA1
5db04faef0a00f181d4cd9aae956911365c3d49f

SHA256
843b1aa44f06473ef7d7216d571fa917fda03828b8bee3b9c4e10d74cca77aa2

SHA512
2edd122b1e6dffeb1b9954df948a96e8b6bcd89a4084ae9412b7166d15f04e7b73aff2ad6b10f72d91da9dcb6fdedc03780b3ea96acee3db2222f32e1ee39632

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
4.5MB

MD5
5e392136d261dede09c0afabfb5b1427

SHA1
16d1b8676390e160d112d1db25848fe2f5e43f6c

SHA256
7bf503c83cf0c1cd8b104de412ae84f1225e5e050ab6c76f232ba40f8b908cfb

SHA512
b7dd0a0b1150964d42dd1b374c3969e0fa09bcbe61ad32a0111a284b7c980120b1a2fc40cca5bf519fcfbc51d65c06984689b24adabd87893c4b3231660a0b98

Download Submit