neconyd | 9a98a2728de2eea7db2532bbf8f79c6ec1dc6a120fe07103807b03434acedd84

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe
Size

3.2MB
MD5

f8e19ff1e27a87d3624c6ce2da5b8bfe
SHA1

da3602e58f5e6503b34dcd912a8f934d9fc329bd
SHA256

9a98a2728de2eea7db2532bbf8f79c6ec1dc6a120fe07103807b03434acedd84
SHA512

d4da0be9f66ba3771de6eab8b31e48e2468c25006d1e275292bef422fdd97afcc48162f040dd82e21d12b43396ced8fd13c038868ee4f729fa1777c5e26e734e
SSDEEP

24576:gOsfW+/6oTFwh3Qh3YZrxEu8CL7W2Y7TjtWDlp5DB:J6W+TFq6IZj8N2Y7T5GF

Score

10^/10

neconyd discovery trojan

Malware Config

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2156	omsecor.exe
1548	omsecor.exe
1708	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
3008	JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe
3008	JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe
2156	omsecor.exe
2156	omsecor.exe
1548	omsecor.exe
1548	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2156	3008	JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe	31
PID 3008 wrote to memory of 2156	3008	JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe	31
PID 3008 wrote to memory of 2156	3008	JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe	31
PID 3008 wrote to memory of 2156	3008	JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe	31
PID 2156 wrote to memory of 1548	2156	omsecor.exe	34
PID 2156 wrote to memory of 1548	2156	omsecor.exe	34
PID 2156 wrote to memory of 1548	2156	omsecor.exe	34
PID 2156 wrote to memory of 1548	2156	omsecor.exe	34
PID 1548 wrote to memory of 1708	1548	omsecor.exe	35
PID 1548 wrote to memory of 1708	1548	omsecor.exe	35
PID 1548 wrote to memory of 1708	1548	omsecor.exe	35
PID 1548 wrote to memory of 1708	1548	omsecor.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f8e19ff1e27a87d3624c6ce2da5b8bfe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
3.2MB

MD5
9da60cdd2adb3718d3934ab44d336e16

SHA1
fe224debdfaadcfa1d69e5e8bb66e11f0ed4a6c3

SHA256
6ffe895cabe94fb3b5fe0368ce7e0726573eba71b73c86383a01f33bef4234e6

SHA512
783cc22e86c1f10177161b5cda634d1793289b453291b6ae35784ca1fe9ef79a3ba5686e3f62dd197052c6fd09a8f8e7530631f4eb89d63eed097228685be895

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
3.2MB

MD5
e20f9ed315067e3884b91aca5f9ddf07

SHA1
500de13f58dbbb6684f69a6844aff10d1ca967b5

SHA256
1caa034ff174fffe1f059af1de9907cb5b4258ed5773b5f396a2c482273cb923

SHA512
61830eb09c370f9caa0e815f502a767f4360573b783951ddf3781d1a50da0bfa0e4113dfc90632b3645580badb73c3c8861a510a56d25296f7eb0771dd314c05

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
3.2MB

MD5
82e2c4ba367926f4fb4f74f38ec2a788

SHA1
a0fb3b5641777926d4f007cf7bf4d0f86864083f

SHA256
cfb58c6c1a8b371f3da47d03730efa8db0f153f7b7ab93b6ef2d04568a04b1bc

SHA512
1df50cf1c97a7754a1ba28474ffb2f21d909fc28f729e515c0c9f52715376c451f7244360e7cb8f08f2f78bcac25c78a42889771073de9822b88e396140d95ed

Download Submit