neconyd | e9e940c2dd5ec66cc266277b63795515ecb626eb7cfd94cbb7f6186d0a44de56

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/01/2025, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe
Size

64KB
MD5

6ee437ecf9155eea4f1169a58e9d9e6a
SHA1

bfafbff53813fe7cba60a39c25680e7153b3fa26
SHA256

e9e940c2dd5ec66cc266277b63795515ecb626eb7cfd94cbb7f6186d0a44de56
SHA512

b1b4f75f6d194eab630b8ef414ed99818cea7e2a7d7201cd4ee62a6abaf8b982411060db4538f565080784d5082a7927bc6d311cd4846599f494eb0ebed3a87f
SSDEEP

1536:td9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:FdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2996	omsecor.exe
1996	omsecor.exe
1712	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2644	JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe
2644	JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe
2996	omsecor.exe
2996	omsecor.exe
1996	omsecor.exe
1996	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2996	2644	JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe	30
PID 2644 wrote to memory of 2996	2644	JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe	30
PID 2644 wrote to memory of 2996	2644	JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe	30
PID 2644 wrote to memory of 2996	2644	JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe	30
PID 2996 wrote to memory of 1996	2996	omsecor.exe	33
PID 2996 wrote to memory of 1996	2996	omsecor.exe	33
PID 2996 wrote to memory of 1996	2996	omsecor.exe	33
PID 2996 wrote to memory of 1996	2996	omsecor.exe	33
PID 1996 wrote to memory of 1712	1996	omsecor.exe	34
PID 1996 wrote to memory of 1712	1996	omsecor.exe	34
PID 1996 wrote to memory of 1712	1996	omsecor.exe	34
PID 1996 wrote to memory of 1712	1996	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ee437ecf9155eea4f1169a58e9d9e6a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
916032dad8b994ed4afdc434267e07f9

SHA1
4f02a6c2981e421a903bdeaa439df53cef0bfa0e

SHA256
d484408ca7ee9696521ae90966af4ba361f1d719b4fca35ecf252d06e645f94f

SHA512
b6a67b448ba77636ca9a89225e61e1ff990b539c1ba750feeadc2a526de8aecce5f475282927e7e7b8280b3becd05f73f142a8e40b2de33f3f7528b603781e54

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
64KB

MD5
7d2d7e01aa807775eab6e5ca066db338

SHA1
e84ca341c11cc5f7a34eefb020736e8e1ea9aab3

SHA256
9ba44ea58733f3746da6069a6d20b0b69a2a3b61618ffbc7aba7d7add3cc3e0c

SHA512
1f63b611bb4fc00e1e4dfe48c21923bd2e64b9ac173b0a1556c91ee25ab56553626fbd091f8e6c85626566808f29ca51978f53c762255650889c3d7faee9e6ad

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
64KB

MD5
9ab40998094d2f2601135ba06091fdaf

SHA1
a6eb15e0d39813b46307c334c844597aea9b9b3c

SHA256
9ce31a7331fd81cf8e024570d05f624898feb5f60a517f5b1504e43c91677fa9

SHA512
319fab9c31c2ab3a32da270471c219048048c60862b8580a910aaf057b830f07c158a2ba6feec9c7128249f49326820923ef422967c7352139aa9397ca670cbb

Download Submit