neconyd | 3291b6711f33d62a65b868363465c75c38dc19df4e3bfc47921d1717516d3589

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe
Size

63KB
MD5

87cbfd346ff998f68e9a68598c5e58b6
SHA1

dfc65a423659c6b76e3fa5eff80117415cf2ec73
SHA256

3291b6711f33d62a65b868363465c75c38dc19df4e3bfc47921d1717516d3589
SHA512

e82acbeb0654ed3f6fb8a0a2caaccbe46204cc5c0745acbc6eb522e0a8df3ff1fa6395591007980f99599f5770c4e756d9043570beaea4ad4e9bf308dd7b488e
SSDEEP

768:4fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:4fbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2096	omsecor.exe
2148	omsecor.exe
2628	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3036	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe
3036	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe
2096	omsecor.exe
2096	omsecor.exe
2148	omsecor.exe
2148	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2096	3036	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe	30
PID 3036 wrote to memory of 2096	3036	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe	30
PID 3036 wrote to memory of 2096	3036	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe	30
PID 3036 wrote to memory of 2096	3036	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe	30
PID 2096 wrote to memory of 2148	2096	omsecor.exe	33
PID 2096 wrote to memory of 2148	2096	omsecor.exe	33
PID 2096 wrote to memory of 2148	2096	omsecor.exe	33
PID 2096 wrote to memory of 2148	2096	omsecor.exe	33
PID 2148 wrote to memory of 2628	2148	omsecor.exe	34
PID 2148 wrote to memory of 2628	2148	omsecor.exe	34
PID 2148 wrote to memory of 2628	2148	omsecor.exe	34
PID 2148 wrote to memory of 2628	2148	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
10af5618e01258103399f50a0c3fad98

SHA1
9832d6767e42ffdbfeada147d83b45d1202878fc

SHA256
1097563adb35b973908a7fdfc333ddf8a8b5430811b3eaed9d62f3d7d2aecac1

SHA512
bbc342c0cab6d685d69c162f30d873043c8ca38bba12207a1f62aea3acc95bf11586f29f6559a9d5c733c26ecd9592dbdef213654acb30830b4bbd38832b93bd

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
ee09fc1e17418c8dfaa4a89284d1ca20

SHA1
beddb9e854ba30b92daac4a067f1aab307cf9d21

SHA256
e78a1624966d5781486856c27e0f9cdef3a84fc38a4587692a38890ecfc6ab7f

SHA512
36f08e2096096f0d9403b14978ef7b16a0e069ff33188745106c14621f1ac0f6da04ae4a7a11e863252e15152efd67a91f9a55e43d172ba472a8d6c822f85420

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
919565f0dfad7ee6e8a1378e29bb3518

SHA1
a659a0b95b00060f93cff413296a9708bcc8e35f

SHA256
a6eb2ee800f11479c85fd898283f8ccb11f8c97a94c048a9b0aa67b53378704e

SHA512
7d0fd8c53cec13a85262d7f5126cfceb43f4f6528c0791496bdaa28d72020c123e1d603408320844a6733ae2698b7d00e54080d5871bc0821aa57268c53e1295

Download Submit