neconyd | eaf6b62336fb0087a36c29a5a2f98d7886c45ce2e99376a81da3b8a4d5deba0a

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-01-2025 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c90e59329520071d148b508be0bcc306.exe
Size

63KB
MD5

c90e59329520071d148b508be0bcc306
SHA1

93ae2114bc68f0551adc58cf7f69c88834f68cd3
SHA256

eaf6b62336fb0087a36c29a5a2f98d7886c45ce2e99376a81da3b8a4d5deba0a
SHA512

d0303eee7dc77d8030b10b34e23d5f3a1c3a238ec0e21c551e301910f07c3a7ce39fa3f2dcca21dba85af8a064cafafcafefd80a0a235ea03827668865416230
SSDEEP

1536:ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:NdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2660	omsecor.exe
2512	omsecor.exe
3016	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2240	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe
2240	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe
2660	omsecor.exe
2660	omsecor.exe
2512	omsecor.exe
2512	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2660	2240	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe	30
PID 2240 wrote to memory of 2660	2240	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe	30
PID 2240 wrote to memory of 2660	2240	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe	30
PID 2240 wrote to memory of 2660	2240	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe	30
PID 2660 wrote to memory of 2512	2660	omsecor.exe	32
PID 2660 wrote to memory of 2512	2660	omsecor.exe	32
PID 2660 wrote to memory of 2512	2660	omsecor.exe	32
PID 2660 wrote to memory of 2512	2660	omsecor.exe	32
PID 2512 wrote to memory of 3016	2512	omsecor.exe	33
PID 2512 wrote to memory of 3016	2512	omsecor.exe	33
PID 2512 wrote to memory of 3016	2512	omsecor.exe	33
PID 2512 wrote to memory of 3016	2512	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c90e59329520071d148b508be0bcc306.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c90e59329520071d148b508be0bcc306.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
191af92006a6c7814e91d3b35fca1875

SHA1
2919b09f40e0b7d70b08442c58a9b8b317335ceb

SHA256
047a4607c660947025fbc032540216c5547d158fa74c445eff7833fce462a89c

SHA512
084282881dfafa06d36efd0ed52ac1ea8e4e0d5b4be84f63ac719920b9658d7185a559e12911bf6ccef104353597cf367a7ab6c6f9b2532d21a38e514448db56

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
99f00696c35eaa6d172529718e48bb8f

SHA1
25b8f027e98ae53e16eac54679312bab8d94c282

SHA256
ea04b3ce42b0b9e8eadbb4951f83805bda78a74a80ad2bf45e58542931e0c327

SHA512
9b5f848b166120c1cf0775905e27f8ed8d6f8cee6352cce4b1c0cf6892e54d72bd46830ca0a6f0752ac4c893c16668be9cd24ee970b95bfd03a5b69eb4a914cf

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
5839bceba859db97261c8ce284ce9c85

SHA1
2b744a92b073010d919bc86eac0ecef693793319

SHA256
ea62d4c23e0da25681d149c7a819f13b8b3a2c5e13b2a76a8810c0a818928e1d

SHA512
a53caaf53f685348ef008f24c190ca044e2c7e3e2755c72d7485cf0a674c1a8285497f77dfdd0b729dadf4baccc85ce65f30ec1e88405e59172a9d3a1411fc78

Download Submit