neconyd | 79639b0743995a6c0fb3d2a72f0a2a76caa93f873c4d039302ebdedb2caa0d3c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe
Size

4.5MB
MD5

c0c6aaca06744fed38355f2ea9907e25
SHA1

2ba6a1ee20ffa94a59bfd47510683f460436f96a
SHA256

79639b0743995a6c0fb3d2a72f0a2a76caa93f873c4d039302ebdedb2caa0d3c
SHA512

d84117736bff8706c32b85bc0a6acc05753eb36f90909f92e164d57d3b8fac4f2fa40d79c5bc68c941ed68359db3cadcbae16c0381cf174950c9e50dd1506a79
SSDEEP

24576:T9Z9yn0hTZrIbAEu8CkB7mA5yupIIKQS9YRXT8HU/ny5U5DB:BKnuTZh8JUUyJCS9CXT8Enys

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4852	omsecor.exe
4480	omsecor.exe
4768	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4852	4720	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe	82
PID 4720 wrote to memory of 4852	4720	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe	82
PID 4720 wrote to memory of 4852	4720	JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe	82
PID 4852 wrote to memory of 4480	4852	omsecor.exe	92
PID 4852 wrote to memory of 4480	4852	omsecor.exe	92
PID 4852 wrote to memory of 4480	4852	omsecor.exe	92
PID 4480 wrote to memory of 4768	4480	omsecor.exe	93
PID 4480 wrote to memory of 4768	4480	omsecor.exe	93
PID 4480 wrote to memory of 4768	4480	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0c6aaca06744fed38355f2ea9907e25.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
3b3df8072f3d660985790057f4cb0fae

SHA1
73df993e67abea9a36f43fd36e4b854eefd3e9f4

SHA256
a43a8229a68d4555925b9e9ae2eedc58928fc6be0fa38ed440ecb8ec571a2c8a

SHA512
0bd418e1f170ec7b67c9fecaea5adb952d3bb0405e0e2ffd92c8c878444750d28b72a31b108037a80d6ff2736dae11371e05cebf3e877ae8cde9517239ac0aee

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
4.5MB

MD5
3eee4518d72fdeb7995ce6db6effc613

SHA1
0bf10d35cea2890a05007c773565c72e8b3714f0

SHA256
c0fafc49aeb27eb60b9d78479ed438e840d644b97dd0715371a08d3ac093ea37

SHA512
e2971a404ff36a869b48cc7ab7b450b1515cb1d9419f312530a2ef95abac6749aa7085ecb132d2b705366bf1b96ba24127bd68b01ae400c3cb5671da1ad51db8

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
4.5MB

MD5
3d6bc45fce604fe47a21c4709e47fe05

SHA1
e29ff8eb3fcda33b4e190b0a8413ee4b6412a2bf

SHA256
db48c2d59f18e04f674f43b8187913ba03776c0a7a434e52618e700c17674fc5

SHA512
dfa711a2e629606eed8e4efce256d78d9ff6048c0f6005da14b62226aecb64510367740008bf6eeaa93281bb9aa4200d344ba197df44500a1b4861af45d3b003

Download Submit