neconyd | eaf6b62336fb0087a36c29a5a2f98d7886c45ce2e99376a81da3b8a4d5deba0a

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c90e59329520071d148b508be0bcc306.exe
Size

63KB
MD5

c90e59329520071d148b508be0bcc306
SHA1

93ae2114bc68f0551adc58cf7f69c88834f68cd3
SHA256

eaf6b62336fb0087a36c29a5a2f98d7886c45ce2e99376a81da3b8a4d5deba0a
SHA512

d0303eee7dc77d8030b10b34e23d5f3a1c3a238ec0e21c551e301910f07c3a7ce39fa3f2dcca21dba85af8a064cafafcafefd80a0a235ea03827668865416230
SSDEEP

1536:ld9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZTl/5:NdseIOMEZEyFjEOFqTiQm5l/5

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
3340	omsecor.exe
2428	omsecor.exe
4024	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 3340	1700	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe	83
PID 1700 wrote to memory of 3340	1700	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe	83
PID 1700 wrote to memory of 3340	1700	JaffaCakes118_c90e59329520071d148b508be0bcc306.exe	83
PID 3340 wrote to memory of 2428	3340	omsecor.exe	100
PID 3340 wrote to memory of 2428	3340	omsecor.exe	100
PID 3340 wrote to memory of 2428	3340	omsecor.exe	100
PID 2428 wrote to memory of 4024	2428	omsecor.exe	101
PID 2428 wrote to memory of 4024	2428	omsecor.exe	101
PID 2428 wrote to memory of 4024	2428	omsecor.exe	101

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c90e59329520071d148b508be0bcc306.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c90e59329520071d148b508be0bcc306.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
37cd2716f15d6bb26645309629a4e294

SHA1
acba689b41e27140c2be02b9f0542e3979891286

SHA256
69ccb342ce552ddbb54e8b58bf850d1e9abad12254a487bbd7c6d508544b7341

SHA512
923ce9d099b6d2c74f6dd443980bae5fc50ec2abf8567c6f99d852be6d36b958dacd391a3d123685ca530740e490242d80978a2ca388ad5e76caf27854073722

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
63KB

MD5
191af92006a6c7814e91d3b35fca1875

SHA1
2919b09f40e0b7d70b08442c58a9b8b317335ceb

SHA256
047a4607c660947025fbc032540216c5547d158fa74c445eff7833fce462a89c

SHA512
084282881dfafa06d36efd0ed52ac1ea8e4e0d5b4be84f63ac719920b9658d7185a559e12911bf6ccef104353597cf367a7ab6c6f9b2532d21a38e514448db56

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
63KB

MD5
5257ba6eed97be3e0f693b3c8a268f7b

SHA1
5c070e9838eca85fc5597908d58f524b0b669b94

SHA256
d9165f839d870457efb0263afea4f00d8bdb06d61b8288817c62fe9912a3f598

SHA512
361f6dceba6a4ea0a6563ff1acd0c1429683f789549984627e39ce8abcc550630a22a14bd255367045d98ad1e00426548fb4a7c0301528238e5319dff6d4f441

Download Submit