neconyd | 79639b0743995a6c0fb3d2a72f0a2a76caa93f873c4d039302ebdedb2caa0d3c

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe
Size

4.5MB
MD5

c0c6aaca06744fed38355f2ea9907e25
SHA1

2ba6a1ee20ffa94a59bfd47510683f460436f96a
SHA256

79639b0743995a6c0fb3d2a72f0a2a76caa93f873c4d039302ebdedb2caa0d3c
SHA512

d84117736bff8706c32b85bc0a6acc05753eb36f90909f92e164d57d3b8fac4f2fa40d79c5bc68c941ed68359db3cadcbae16c0381cf174950c9e50dd1506a79
SSDEEP

24576:T9Z9yn0hTZrIbAEu8CkB7mA5yupIIKQS9YRXT8HU/ny5U5DB:BKnuTZh8JUUyJCS9CXT8Enys

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 2 IoCs

pid	Process
2888	omsecor.exe
1924	omsecor.exe

Loads dropped DLL 4 IoCs

pid	Process
2692	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe
2692	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe
2888	omsecor.exe
2888	omsecor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe
File opened for modification	C:\Windows\SysWOW64\merocz.xc6	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2888	2692	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe	30
PID 2692 wrote to memory of 2888	2692	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe	30
PID 2692 wrote to memory of 2888	2692	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe	30
PID 2692 wrote to memory of 2888	2692	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe	30
PID 2888 wrote to memory of 1924	2888	omsecor.exe	33
PID 2888 wrote to memory of 1924	2888	omsecor.exe	33
PID 2888 wrote to memory of 1924	2888	omsecor.exe	33
PID 2888 wrote to memory of 1924	2888	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
3eee4518d72fdeb7995ce6db6effc613

SHA1
0bf10d35cea2890a05007c773565c72e8b3714f0

SHA256
c0fafc49aeb27eb60b9d78479ed438e840d644b97dd0715371a08d3ac093ea37

SHA512
e2971a404ff36a869b48cc7ab7b450b1515cb1d9419f312530a2ef95abac6749aa7085ecb132d2b705366bf1b96ba24127bd68b01ae400c3cb5671da1ad51db8

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
4.5MB

MD5
7058d8f1ee9f9bdf8e4ee61fb35dd72b

SHA1
5fe2e16966ddb43d44e9ebc6fe5cfcab2b796ef8

SHA256
c24c37578a29f047ebd5842b6f558416c36d47359e3e315b93d6b178bce38efa

SHA512
5a8a88e54df710eba3f44cafe3e9beaad3bbf45f19210d8a3a0e70a4a4910c6e35424de21321e4ca51e9eaa36572f2d3696276b3a65a2e49cbd486e34f37e478

Download Submit