neconyd | 4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe
Size

128KB
MD5

76ad31e7dce644b164e65c0c7df81ca0
SHA1

c7b06b97713a22f6206cd3361f54559c6b0470a7
SHA256

4ff84a7908469411f80cba8703cde97010761dba00a818a6b8add28115945cf8
SHA512

e8048b5b820ce897d8fbab00fdd86d51c661aa23e86928912ce69d730fb5a83b2476dd6a3c34e9f252ec3bab0d3a4b3471bc8409a5076e82694fcf26e5c82cc7
SSDEEP

1536:8DfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:iiRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4948	omsecor.exe
2664	omsecor.exe
2480	omsecor.exe
1840	omsecor.exe
3496	omsecor.exe
2880	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4312 set thread context of 600	4312	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	84
PID 4948 set thread context of 2664	4948	omsecor.exe	89
PID 2480 set thread context of 1840	2480	omsecor.exe	102
PID 3496 set thread context of 2880	3496	omsecor.exe	106

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2984	4312	WerFault.exe	83
1848	4948	WerFault.exe	86
1188	2480	WerFault.exe	101
1164	3496	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 600	4312	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	84
PID 4312 wrote to memory of 600	4312	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	84
PID 4312 wrote to memory of 600	4312	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	84
PID 4312 wrote to memory of 600	4312	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	84
PID 4312 wrote to memory of 600	4312	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	84
PID 600 wrote to memory of 4948	600	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	86
PID 600 wrote to memory of 4948	600	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	86
PID 600 wrote to memory of 4948	600	JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe	86
PID 4948 wrote to memory of 2664	4948	omsecor.exe	89
PID 4948 wrote to memory of 2664	4948	omsecor.exe	89
PID 4948 wrote to memory of 2664	4948	omsecor.exe	89
PID 4948 wrote to memory of 2664	4948	omsecor.exe	89
PID 4948 wrote to memory of 2664	4948	omsecor.exe	89
PID 2664 wrote to memory of 2480	2664	omsecor.exe	101
PID 2664 wrote to memory of 2480	2664	omsecor.exe	101
PID 2664 wrote to memory of 2480	2664	omsecor.exe	101
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 2480 wrote to memory of 1840	2480	omsecor.exe	102
PID 1840 wrote to memory of 3496	1840	omsecor.exe	104
PID 1840 wrote to memory of 3496	1840	omsecor.exe	104
PID 1840 wrote to memory of 3496	1840	omsecor.exe	104
PID 3496 wrote to memory of 2880	3496	omsecor.exe	106
PID 3496 wrote to memory of 2880	3496	omsecor.exe	106
PID 3496 wrote to memory of 2880	3496	omsecor.exe	106
PID 3496 wrote to memory of 2880	3496	omsecor.exe	106
PID 3496 wrote to memory of 2880	3496	omsecor.exe	106

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76ad31e7dce644b164e65c0c7df81ca0.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 268
        8⤵
        Program crash
        
        PID:1164
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 296
        6⤵
        Program crash
        
        PID:1188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 300
      4⤵
      Program crash
      PID:1848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 300
  2⤵
  - Program crash
  PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4312 -ip 4312
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4948 -ip 4948
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2480 -ip 2480
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3496 -ip 3496
1⤵
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
04b326805e578f9bdc2c6dc8271a73c7

SHA1
30910384a94ee8856085fc7fa03eddb5d24b6ed4

SHA256
9215c04dd9b175f631eef727111b943d65eaff1f21672c0a3f411cfbe2cc5d63

SHA512
e170d40a6847baa3e1201af5bb1eddee009981e3bb2c64f6da77e21352baf2004a071b32a2a0abb4e013c0743c8b0c5ca29bec1f38a172313e75e8c1606b46ac

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
8cef9564016438cda60c98cf30783d48

SHA1
503fabbd1f6f8c57e9e19d1c02aa0c7e4f5c5b35

SHA256
5dbcb3b179c611851e56499e462f01b44c33916c7e76c561ba430c47ea815b42

SHA512
3b54f05228fd0fdcbd3afbf1ee0a8ccf13ca0393e6814eac75d4f3d37f72e4f3cfd91a90c777a82f7958cf9c64d26a8ddbdc5e2a4eef8aaa49a76dd2489a3425

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
9fbf34e94d8209cb177ff9e03d5c8f3c

SHA1
73adf95562443ff6dcc1066c09d6f9d1f50ff1a1

SHA256
856c9a45909f160defefa13f47af7cd1474734138663db187fa664f8b43ea97e

SHA512
a44e08384b2bb664f3614e836960a4c34dbc05216c05380b1ce357bcc0f3450698ae914492ade9a22542bc4d96a2c22610365b16fe2d616eb46d6135f5ebc0fc

Download Submit
memory/600-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/600-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/600-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/600-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1840-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2664-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-44-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download