neconyd | ddd6a75391502ac182b15d9849a21407661b4eb39b59be8d8c8cfe03d30874e0

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
Size

62KB
MD5

c807e4d568a3952d5a02845923fc33fb
SHA1

cbbfb8fc34b748277f6915d8d6edc13d8d82d915
SHA256

ddd6a75391502ac182b15d9849a21407661b4eb39b59be8d8c8cfe03d30874e0
SHA512

da96bf66d357355a69d80a8df90c98087e57599b85d76f7c238d5fe7aa67287f2fca6d0be0df7647835af7a5039e31e37d7c13e5d1695740a52a67cd3bb0802e
SSDEEP

768:wMEIvFGvZEr8LFK0ic46N47eSdYAHwmZGp6JXXlaa5uA:wbIvYvZEyFKF6N4yS+AQmZTl/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
4292	omsecor.exe
1820	omsecor.exe
1264	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4292	2320	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe	83
PID 2320 wrote to memory of 4292	2320	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe	83
PID 2320 wrote to memory of 4292	2320	JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe	83
PID 4292 wrote to memory of 1820	4292	omsecor.exe	101
PID 4292 wrote to memory of 1820	4292	omsecor.exe	101
PID 4292 wrote to memory of 1820	4292	omsecor.exe	101
PID 1820 wrote to memory of 1264	1820	omsecor.exe	102
PID 1820 wrote to memory of 1264	1820	omsecor.exe	102
PID 1820 wrote to memory of 1264	1820	omsecor.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c807e4d568a3952d5a02845923fc33fb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
687a28c76644efcd80a5f94de2be137d

SHA1
44514d4a419cc348cd775b7567507be6ba9e5d65

SHA256
a3b480c0aeef3e93ebf7aabdad3c5a4a31fca9e76be5661fa8561cba668e5573

SHA512
bd735a0b3187e1dc9a4909b49e5a14fed72b5e72538a12d0a567351f1195ab691c276a1932d95bbce5ef603e632ebbc05e4727546cf068197a63767ea2145112

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
62KB

MD5
4821addee6464e71b2d178bb74c006e4

SHA1
4ac50a52d8e3e77b289b344c1e87f89c26be0ec5

SHA256
1988e801edffbf9b5a6c253c444723b1735ec7f7427c27841c995a0879392b27

SHA512
f395c94e01c756777ad3dce1f9f884e34bacdf07fd06c9568e05bf72b2a45cabda33adde26672d83b04194cfbe5b291a6c82a16eec183201408194684935010c

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
62KB

MD5
955d296001bc9217ff404330e5c160e3

SHA1
3aa3152fa867236c61871a5501fd259920125ea2

SHA256
e4f7f91bb3992272cddbc53005e1c476f6e16abb8e22b5d5ee08b7da2d3f0d85

SHA512
e1469b1d4c869adfe427aec5128537c8b527eb233a56d537dbe46850bb017bdb4041306ea176706e155ec717490b5f1994783b715e3fe0b4b83d6c77d11a036a

Download Submit