neconyd | 17dd470b4ff2e09377b070b8211f593f79df12a357e9d53c6292fe29e7746a30

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe
Size

3.2MB
MD5

dd1c7f90a6b29a3382d22f85733911af
SHA1

52ca9a18b76cde78902e48464f494454c108b8d3
SHA256

17dd470b4ff2e09377b070b8211f593f79df12a357e9d53c6292fe29e7746a30
SHA512

84a9c1550c59a7ecad9e923e4e3c0621797512814f244bca2bf029b62893dd431e49323ea050ee314ab90bdfd110c9739c3730d5a30a377cbfaf342eaf107be9
SSDEEP

24576:xOsfW+/6oTFwh3Qh3YZrxEu8CL7W2Y7TjtWDlp5DB:k6W+TFq6IZj8N2Y7T5GF

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2700	omsecor.exe
1416	omsecor.exe
1908	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2412	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe
2412	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe
2700	omsecor.exe
2700	omsecor.exe
1416	omsecor.exe
1416	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2700	2412	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe	30
PID 2412 wrote to memory of 2700	2412	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe	30
PID 2412 wrote to memory of 2700	2412	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe	30
PID 2412 wrote to memory of 2700	2412	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe	30
PID 2700 wrote to memory of 1416	2700	omsecor.exe	33
PID 2700 wrote to memory of 1416	2700	omsecor.exe	33
PID 2700 wrote to memory of 1416	2700	omsecor.exe	33
PID 2700 wrote to memory of 1416	2700	omsecor.exe	33
PID 1416 wrote to memory of 1908	1416	omsecor.exe	34
PID 1416 wrote to memory of 1908	1416	omsecor.exe	34
PID 1416 wrote to memory of 1908	1416	omsecor.exe	34
PID 1416 wrote to memory of 1908	1416	omsecor.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
3.2MB

MD5
1b28cd9efa94a3461393a3224bbc0721

SHA1
80e6676a3443b04c4a55674dc6418105d8ced88c

SHA256
42a407092634ddafb86bbd5afe40bf4aee40f3e1f23ddedf6443b8db68d337d6

SHA512
3ccf2b3038f0e60dc4e7927ed6ab9523888c58d108698625985a73be34b8cce5b7351f0cd133412fd62617a83627a59bd0a1d5298e2c5435cb2f1377dd342439

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
3.2MB

MD5
02a0078487ec217be7a131995ecc8b27

SHA1
c54577d183da163ec74829032036e2013ee47901

SHA256
e2e55b1d56126ce63f2619e6ee63da2d946450b519d8bcdda3271c022fd8d91a

SHA512
d59aae675538b614486bd88d58365214d6ee8c901408be100e0fc687fe8f2ecafd133a0569400ac175273c1248d293324291db341229ee7d4aae0bcc2ce65b49

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
3.2MB

MD5
289c77f4c519b326d763aa3d091a0c9e

SHA1
5013afaf9cd441dc9e8454e8d5c57415e351a2fa

SHA256
3f169bead450b4c38464f3f2d01494e5585cdcf4376568381495a9b0eb713c6e

SHA512
26e42b1da3fe33a5ab3c6ea33dc34a6df8bd515388895565dd5530e65d589032388a49bd68523345adcdf1100131f007945d109ce97197e1bc37901dc22dbbda

Download Submit