neconyd | 3291b6711f33d62a65b868363465c75c38dc19df4e3bfc47921d1717516d3589

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe
Size

63KB
MD5

87cbfd346ff998f68e9a68598c5e58b6
SHA1

dfc65a423659c6b76e3fa5eff80117415cf2ec73
SHA256

3291b6711f33d62a65b868363465c75c38dc19df4e3bfc47921d1717516d3589
SHA512

e82acbeb0654ed3f6fb8a0a2caaccbe46204cc5c0745acbc6eb522e0a8df3ff1fa6395591007980f99599f5770c4e756d9043570beaea4ad4e9bf308dd7b488e
SSDEEP

768:4fMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:4fbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
116	omsecor.exe
3748	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 116	2596	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe	83
PID 2596 wrote to memory of 116	2596	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe	83
PID 2596 wrote to memory of 116	2596	JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe	83
PID 116 wrote to memory of 3748	116	omsecor.exe	101
PID 116 wrote to memory of 3748	116	omsecor.exe	101
PID 116 wrote to memory of 3748	116	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87cbfd346ff998f68e9a68598c5e58b6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
10af5618e01258103399f50a0c3fad98

SHA1
9832d6767e42ffdbfeada147d83b45d1202878fc

SHA256
1097563adb35b973908a7fdfc333ddf8a8b5430811b3eaed9d62f3d7d2aecac1

SHA512
bbc342c0cab6d685d69c162f30d873043c8ca38bba12207a1f62aea3acc95bf11586f29f6559a9d5c733c26ecd9592dbdef213654acb30830b4bbd38832b93bd

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
c6c8673eb90aa22e65d853c202e291d3

SHA1
2e1f91016e4f50035c3a39d4cac2aed27b77979c

SHA256
4dc8d8c94efaf1d9ea9b79add29650c1ee60d813d7744d72007ef62f9ed1f8ab

SHA512
6fd86e2265243b62e5288c568c95c259ce571d0baf693a71873fbc5c29a6c9b1722fedfb82df94ab78172e0cef81a3c70c08bfa6c746e50207e3d53a27e6bba6

Download Submit