neconyd | 80bc785db01bf1399053f97e4f8bf368c2c177be243c33bccd2091df55ae2e52

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2025, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe
Size

128KB
MD5

0ff481dcf160a2df65900a40f319a840
SHA1

ce00bb90c9b36333b521981a7a03ac01a21be2d3
SHA256

80bc785db01bf1399053f97e4f8bf368c2c177be243c33bccd2091df55ae2e52
SHA512

e1d02bfcb7a53097439dd519804fed1fa7efab881ba56470daaf8b2b66ef1204d72b1e4feec77506a080b197c58a53626e9ae7a320c756d933f94831e8731c45
SSDEEP

1536:3DfDbhERTatPLTLLbC+8BMNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabau:TiRTe3n8BMAW6J6f1tqF6dngNmaZrN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
4980	omsecor.exe
3712	omsecor.exe
4784	omsecor.exe
4968	omsecor.exe
4864	omsecor.exe
2216	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 540	1976	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	84
PID 4980 set thread context of 3712	4980	omsecor.exe	89
PID 4784 set thread context of 4968	4784	omsecor.exe	102
PID 4864 set thread context of 2216	4864	omsecor.exe	106

Program crash 4 IoCs

pid	pid_target	Process	procid_target
880	1976	WerFault.exe	82
1596	4980	WerFault.exe	87
4668	4784	WerFault.exe	101
4304	4864	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 540	1976	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	84
PID 1976 wrote to memory of 540	1976	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	84
PID 1976 wrote to memory of 540	1976	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	84
PID 1976 wrote to memory of 540	1976	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	84
PID 1976 wrote to memory of 540	1976	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	84
PID 540 wrote to memory of 4980	540	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	87
PID 540 wrote to memory of 4980	540	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	87
PID 540 wrote to memory of 4980	540	JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe	87
PID 4980 wrote to memory of 3712	4980	omsecor.exe	89
PID 4980 wrote to memory of 3712	4980	omsecor.exe	89
PID 4980 wrote to memory of 3712	4980	omsecor.exe	89
PID 4980 wrote to memory of 3712	4980	omsecor.exe	89
PID 4980 wrote to memory of 3712	4980	omsecor.exe	89
PID 3712 wrote to memory of 4784	3712	omsecor.exe	101
PID 3712 wrote to memory of 4784	3712	omsecor.exe	101
PID 3712 wrote to memory of 4784	3712	omsecor.exe	101
PID 4784 wrote to memory of 4968	4784	omsecor.exe	102
PID 4784 wrote to memory of 4968	4784	omsecor.exe	102
PID 4784 wrote to memory of 4968	4784	omsecor.exe	102
PID 4784 wrote to memory of 4968	4784	omsecor.exe	102
PID 4784 wrote to memory of 4968	4784	omsecor.exe	102
PID 4968 wrote to memory of 4864	4968	omsecor.exe	104
PID 4968 wrote to memory of 4864	4968	omsecor.exe	104
PID 4968 wrote to memory of 4864	4968	omsecor.exe	104
PID 4864 wrote to memory of 2216	4864	omsecor.exe	106
PID 4864 wrote to memory of 2216	4864	omsecor.exe	106
PID 4864 wrote to memory of 2216	4864	omsecor.exe	106
PID 4864 wrote to memory of 2216	4864	omsecor.exe	106
PID 4864 wrote to memory of 2216	4864	omsecor.exe	106

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ff481dcf160a2df65900a40f319a840.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 256
        8⤵
        Program crash
        
        PID:4304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 292
        6⤵
        Program crash
        
        PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 300
      4⤵
      Program crash
      PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 288
  2⤵
  - Program crash
  PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1976 -ip 1976
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4980 -ip 4980
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4784 -ip 4784
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4864 -ip 4864
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
7a7bb76d01200299e0ea69687914adb4

SHA1
ea6848b8c7aff0be3210399cd2a3b04cf8fc2720

SHA256
dd18a0d5bd3d990dae7f40dde9560a27f597cdfb53365de162884cb6886f1528

SHA512
28886e42fb1168e5a709ca29a1316f0e30c33c23c12a56d8f7466fe52a6b60d0ef313327724d6ec4d63416369c5a8811ce79c9debaea9192d0fecf62b68c2bbb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
128KB

MD5
699b7e32ee24d42e3e97ba04e7fc359e

SHA1
692a38a2828082f9b7812f68cb25e96e4d51cb84

SHA256
79246c4fbc60e30b670f872e3f0bb61d3ba7c207491e0bc95d22373e8ba94345

SHA512
1b86a5edf644617bb8790e9874a11f7e86dbac939b0d3b6299e4955540f79914c08bf74bc814ca9ae5816ff445bc84ae6e3b4c783bd080125023a2b0cd0002cb

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
128KB

MD5
095bed8a69b2a36bddaa7f5d85eae3fe

SHA1
fdb7a2a77454a81e6f6019155f37053e104c16cc

SHA256
1e7ecae9c1c57db8441fb6b2068875515ba186427eaa9b01d4713e7f1d377965

SHA512
e16e4d0316c382ffb1baf8bf2e86bf5b51e3eb889df8b542008de01d7dd92dca453ca3b290ff5b151583490a38d0e3b893dc930926d811944e7dd5539d6c0115

Download Submit
memory/540-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-4-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/540-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-46-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2216-42-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3712-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3712-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3712-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3712-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3712-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3712-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3712-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4968-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download