neconyd | b855bce10c0efd4998e88e95f6bfa4a2f6088c7c5b1befadcff2bb2045f159c7

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe
Size

4.5MB
MD5

5fac49ff6aad7f6a8291851580bffe9b
SHA1

dfb3036a845cc2ddaa62d3566976b2656ba44725
SHA256

b855bce10c0efd4998e88e95f6bfa4a2f6088c7c5b1befadcff2bb2045f159c7
SHA512

25148871e7c04f25065194b0b227219f27a49eb91f0add5e58e5a8c6f6b0e5dbfcf53e439c297f7726e90ca4523930caa0ef74406c4b0dcf1461bb1302cad876
SSDEEP

24576:99Z9yn0hTZrIbAEu8CkB7mA5yupIIKQS9YRXT8HU/ny5U5DB:DKnuTZh8JUUyJCS9CXT8Enys

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
1664	omsecor.exe
2200	omsecor.exe
1588	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2372	JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe
2372	JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe
1664	omsecor.exe
1664	omsecor.exe
2200	omsecor.exe
2200	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1664	2372	JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe	30
PID 2372 wrote to memory of 1664	2372	JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe	30
PID 2372 wrote to memory of 1664	2372	JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe	30
PID 2372 wrote to memory of 1664	2372	JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe	30
PID 1664 wrote to memory of 2200	1664	omsecor.exe	33
PID 1664 wrote to memory of 2200	1664	omsecor.exe	33
PID 1664 wrote to memory of 2200	1664	omsecor.exe	33
PID 1664 wrote to memory of 2200	1664	omsecor.exe	33
PID 2200 wrote to memory of 1588	2200	omsecor.exe	34
PID 2200 wrote to memory of 1588	2200	omsecor.exe	34
PID 2200 wrote to memory of 1588	2200	omsecor.exe	34
PID 2200 wrote to memory of 1588	2200	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fac49ff6aad7f6a8291851580bffe9b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
6874cdda0a0ead79319c79be31da05f1

SHA1
0db244550a33fb4c7f4f1c8224d4bafb75ca92a4

SHA256
a9f77caddb6101cc4211d0b1324c14b9e3c02970b125f1870d048ee4f94772b7

SHA512
2ea3e3ddf2797c78994085f1238acb7c419cc5caa11ae5b83ccbd7e7adfae152682bab02dd52ad7391ca29d2c4744cca4c85740a9edc6f6d7c9e91a2d6b00353

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
d459827bffaeeb0c9d80c47c4f926a0c

SHA1
62d232e1030e84a22d32f9b3664ebe2a05f05dce

SHA256
12e82b48d63b7ed5d8b8ceeebe26ab512a0e7dfa3d584a6d4e7438ba1b05c436

SHA512
94df6bbddcae79da93587d08e24bd3437747661c812eb314f569f7e33db453b5fa33239cc619914e470e9f02fe7e3baf85fd53756470a39321853a25c4d981d5

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
4.5MB

MD5
78682b2002c0e2720d1d256f6d6c31af

SHA1
9943cc5f6911978a0070a2e64114d0d2424540e5

SHA256
83e6a34dcc11e82e5cfeb6c1572fc76ead86c80257a060b31b438fcd81fc57f0

SHA512
40e7723cc862be27fb9b6f4e1f4d82ef325329c3d2c2ba308970c33be7eeaca87142ea039cf89a81c3124f5df8d3f01df6799a5ee111467802ebefa775637ba1

Download Submit