neconyd | 7dab809e526e284473e5a67bc1593314f11341536d1bf7986ed9f96a7bbac1ba

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2025 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe
Size

128KB
MD5

d75a04d6e629d317d8bd7881fc025ab7
SHA1

bb8c8cb41462a770ae9fbfa4b3eb88bd699a55a0
SHA256

7dab809e526e284473e5a67bc1593314f11341536d1bf7986ed9f96a7bbac1ba
SHA512

faf3b545beeef1d2379ac8b1ddb9bed4adee3b1f0c4dc0c49b07a0cbdd6889dd3f30d7124b61a012058d3d0fb4b50210ac031e6a19df05ecb365ad3bde89cfde
SSDEEP

1536:wDfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:miRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Downloads MZ/PE file 1 IoCs

flow	pid	Process
21	3460	Process not Found

Executes dropped EXE 6 IoCs

pid	Process
3536	omsecor.exe
1756	omsecor.exe
388	omsecor.exe
2068	omsecor.exe
4272	omsecor.exe
1432	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 1644	4424	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	88
PID 3536 set thread context of 1756	3536	omsecor.exe	91
PID 388 set thread context of 2068	388	omsecor.exe	106
PID 4272 set thread context of 1432	4272	omsecor.exe	110

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4592	4424	WerFault.exe	87
2456	3536	WerFault.exe	90
4076	388	WerFault.exe	105
5052	4272	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4836	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1644	4424	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	88
PID 4424 wrote to memory of 1644	4424	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	88
PID 4424 wrote to memory of 1644	4424	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	88
PID 4424 wrote to memory of 1644	4424	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	88
PID 4424 wrote to memory of 1644	4424	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	88
PID 1644 wrote to memory of 3536	1644	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	90
PID 1644 wrote to memory of 3536	1644	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	90
PID 1644 wrote to memory of 3536	1644	JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe	90
PID 3536 wrote to memory of 1756	3536	omsecor.exe	91
PID 3536 wrote to memory of 1756	3536	omsecor.exe	91
PID 3536 wrote to memory of 1756	3536	omsecor.exe	91
PID 3536 wrote to memory of 1756	3536	omsecor.exe	91
PID 3536 wrote to memory of 1756	3536	omsecor.exe	91
PID 1756 wrote to memory of 388	1756	omsecor.exe	105
PID 1756 wrote to memory of 388	1756	omsecor.exe	105
PID 1756 wrote to memory of 388	1756	omsecor.exe	105
PID 388 wrote to memory of 2068	388	omsecor.exe	106
PID 388 wrote to memory of 2068	388	omsecor.exe	106
PID 388 wrote to memory of 2068	388	omsecor.exe	106
PID 388 wrote to memory of 2068	388	omsecor.exe	106
PID 388 wrote to memory of 2068	388	omsecor.exe	106
PID 2068 wrote to memory of 4272	2068	omsecor.exe	108
PID 2068 wrote to memory of 4272	2068	omsecor.exe	108
PID 2068 wrote to memory of 4272	2068	omsecor.exe	108
PID 4272 wrote to memory of 1432	4272	omsecor.exe	110
PID 4272 wrote to memory of 1432	4272	omsecor.exe	110
PID 4272 wrote to memory of 1432	4272	omsecor.exe	110
PID 4272 wrote to memory of 1432	4272	omsecor.exe	110
PID 4272 wrote to memory of 1432	4272	omsecor.exe	110

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d75a04d6e629d317d8bd7881fc025ab7.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 268
        8⤵
        Program crash
        
        PID:5052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 296
        6⤵
        Program crash
        
        PID:4076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 300
      4⤵
      Program crash
      PID:2456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 288
  2⤵
  - Program crash
  PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3536 -ip 3536
1⤵
PID:1108

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTM4QzM4QUQtQ0YzRi00QjJFLTgzQUEtODMxRUE1NzI5ODVEfSIgdXNlcmlkPSJ7MjFDQ0MwMEUtOTZENi00RUU3LUJDMEItOURFNDAyMzlGQTM4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NkE0MzNGMDQtNEU4OC00QUExLUI2MjQtMDc2OTMzNTc5NTgwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDI0NzY2MTIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 388 -ip 388
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4272 -ip 4272
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
69198f6b94b7c939053beed0d3c373ee

SHA1
201cb2045dd54ac2554bb1f9110b220781c18d00

SHA256
885debc51399bce3305bf455c93ec5122b87ce16614f6a835accd37dd39abd48

SHA512
7dd5b6061d367ba56abc664db26ea344fd55bbec58140df1d192c366d5509d7d144ad0fd3f1202967ddf165dae2f9d204225e145e39bd2a971c8f00af0e5019f

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
0574c91919f8b2c331e93072d285e8f3

SHA1
b53cf7c23014a4f17cbc2dcb2f2c7e84f0d572fe

SHA256
a30d15420b7656e8cc90a56b59987e99956d6eb360b2f5ccf1250c170ad4a57f

SHA512
1f8fdf59df5142579670518309b48662ffbd34e7db67ae5a5edbc1df759066079da0cbe86e93d05a5a5203b8b9a701f958c3954b7ef3d243dbb68989047d4add

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
7c2c79a67b517144bbb8a78c7aef4717

SHA1
464e7b86f11748d4dfcb1aeb8b8e54d97139cf4d

SHA256
5ad2889661217012e9d564d32370e32802d92e72ccc1ef63e78e3f4757824805

SHA512
c451315ebd685e863c0ac274060666bd2059f8a543e2d9a41ba0a8d9ddad6de98e68d71500dd1a242cee79a10e16b5eaca0bf381d7908b7a82b9a50e500eb863

Download Submit
memory/1432-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1432-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1432-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1644-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1644-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1644-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1644-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2068-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2068-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download