neconyd | 17dd470b4ff2e09377b070b8211f593f79df12a357e9d53c6292fe29e7746a30

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe
Size

3.2MB
MD5

dd1c7f90a6b29a3382d22f85733911af
SHA1

52ca9a18b76cde78902e48464f494454c108b8d3
SHA256

17dd470b4ff2e09377b070b8211f593f79df12a357e9d53c6292fe29e7746a30
SHA512

84a9c1550c59a7ecad9e923e4e3c0621797512814f244bca2bf029b62893dd431e49323ea050ee314ab90bdfd110c9739c3730d5a30a377cbfaf342eaf107be9
SSDEEP

24576:xOsfW+/6oTFwh3Qh3YZrxEu8CL7W2Y7TjtWDlp5DB:k6W+TFq6IZj8N2Y7T5GF

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2716	omsecor.exe
1084	omsecor.exe
3600	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2716	4720	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe	82
PID 4720 wrote to memory of 2716	4720	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe	82
PID 4720 wrote to memory of 2716	4720	JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe	82
PID 2716 wrote to memory of 1084	2716	omsecor.exe	92
PID 2716 wrote to memory of 1084	2716	omsecor.exe	92
PID 2716 wrote to memory of 1084	2716	omsecor.exe	92
PID 1084 wrote to memory of 3600	1084	omsecor.exe	93
PID 1084 wrote to memory of 3600	1084	omsecor.exe	93
PID 1084 wrote to memory of 3600	1084	omsecor.exe	93

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd1c7f90a6b29a3382d22f85733911af.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
3.2MB

MD5
cd6187f383432230701a20481d8d5722

SHA1
a0838d6d5abe026b7b85ecd21f924180174294fe

SHA256
28ed3fc36dbf74bb27c527d45784a9b2e065c3084cd0cb6c47d0f58b563535c9

SHA512
a8ff5b13fa25687ba0695b72fbb03429a5abdfd4f2451257469ef7b1859d43c7840c05af22fc5e27c65835e7bf13d5230ace5d4bf5a95e1bcdfec0f99d136be7

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
3.2MB

MD5
02a0078487ec217be7a131995ecc8b27

SHA1
c54577d183da163ec74829032036e2013ee47901

SHA256
e2e55b1d56126ce63f2619e6ee63da2d946450b519d8bcdda3271c022fd8d91a

SHA512
d59aae675538b614486bd88d58365214d6ee8c901408be100e0fc687fe8f2ecafd133a0569400ac175273c1248d293324291db341229ee7d4aae0bcc2ce65b49

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
3.2MB

MD5
afa80313355231dc3a2b2271e1e277a5

SHA1
ff9101acb0aacaba39ac18f869f6cda6188e5fe5

SHA256
4d47fddd55d72ae9e89f5236b24a3e1613f888407d47a66dde877c785e231484

SHA512
bbf6a6486d316086195b6799a402cf8a4cd9bee697d6d51278e4f25680536df78b60871cdcf3883d6bd58e7a391456130f0d3cb7137ac1af3d9ba21554d89159

Download Submit