neconyd | ddd6a75391502ac182b15d9849a21407661b4eb39b59be8d8c8cfe03d30874e0

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/01/2025, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
Size

62KB
MD5

c807e4d568a3952d5a02845923fc33fb
SHA1

cbbfb8fc34b748277f6915d8d6edc13d8d82d915
SHA256

ddd6a75391502ac182b15d9849a21407661b4eb39b59be8d8c8cfe03d30874e0
SHA512

da96bf66d357355a69d80a8df90c98087e57599b85d76f7c238d5fe7aa67287f2fca6d0be0df7647835af7a5039e31e37d7c13e5d1695740a52a67cd3bb0802e
SSDEEP

768:wMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:wbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2524	omsecor.exe
3024	omsecor.exe
1452	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2504	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
2504	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
2524	omsecor.exe
2524	omsecor.exe
3024	omsecor.exe
3024	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2524	2504	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe	30
PID 2504 wrote to memory of 2524	2504	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe	30
PID 2504 wrote to memory of 2524	2504	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe	30
PID 2504 wrote to memory of 2524	2504	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe	30
PID 2524 wrote to memory of 3024	2524	omsecor.exe	33
PID 2524 wrote to memory of 3024	2524	omsecor.exe	33
PID 2524 wrote to memory of 3024	2524	omsecor.exe	33
PID 2524 wrote to memory of 3024	2524	omsecor.exe	33
PID 3024 wrote to memory of 1452	3024	omsecor.exe	34
PID 3024 wrote to memory of 1452	3024	omsecor.exe	34
PID 3024 wrote to memory of 1452	3024	omsecor.exe	34
PID 3024 wrote to memory of 1452	3024	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
4821addee6464e71b2d178bb74c006e4

SHA1
4ac50a52d8e3e77b289b344c1e87f89c26be0ec5

SHA256
1988e801edffbf9b5a6c253c444723b1735ec7f7427c27841c995a0879392b27

SHA512
f395c94e01c756777ad3dce1f9f884e34bacdf07fd06c9568e05bf72b2a45cabda33adde26672d83b04194cfbe5b291a6c82a16eec183201408194684935010c

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
99298efe4c990cd0c717c3863005ba83

SHA1
8c76d3faf98519546fe066f36e230b1d4b82b26f

SHA256
e1bf6583916df405d20b5dec8f759fc5d36277398c2a87ef501e9091f11653a3

SHA512
355242d20ca20913f128e53cddd114599094e56697fa171592de4ee74e4ee9cce38527ab2d111b11a370de8abf3e1903d465b82fb5508cb67c94c47082523b02

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
94ea19efde454ab20a54cefcd8b2651a

SHA1
89c5ff1671f9d615b20c66aeda981bc08a51df78

SHA256
4e4cbbcd4fe83b9a2ac3eff71cd55dca7e55c513a3e75e4546f2ae35d236c1e0

SHA512
fa5495f9064914deed9b9157aa5f7d34a52ea62651c30c7f099ad174571008c508820008e246424acd1d436a744f1f90843f99411857393f7690ecfb5bfc2c1c

Download Submit