neconyd | 906dcd9e68e33dc07c376c30eeddaa5aaaed6e1b176ed576ea45f0d34394d843

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

64b3c6da0b94cde086a7140c945d80a4
SHA1

03abdaa660be2c5361cde3a0d292ac0a22cce2e9
SHA256

906dcd9e68e33dc07c376c30eeddaa5aaaed6e1b176ed576ea45f0d34394d843
SHA512

1deb1435a767a2abe8a00a0d3421f0cd89a8d1220b1c405f75e33ebdbf0f5dafa277c13c9ebb83252e71e4794c30de77f80833e0cd4b0834a896cf2a92f1a177
SSDEEP

1536:pDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCif:ZiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3604	omsecor.exe
1076	omsecor.exe
224	omsecor.exe
1280	omsecor.exe
4984	omsecor.exe
2176	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3684 set thread context of 4700	3684	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 3604 set thread context of 1076	3604	omsecor.exe	90
PID 224 set thread context of 1280	224	omsecor.exe	119
PID 4984 set thread context of 2176	4984	omsecor.exe	122

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4264	3684	WerFault.exe	85
2144	3604	WerFault.exe	89
464	224	WerFault.exe	118
2904	4984	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4700	3684	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 3684 wrote to memory of 4700	3684	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 3684 wrote to memory of 4700	3684	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 3684 wrote to memory of 4700	3684	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 3684 wrote to memory of 4700	3684	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 4700 wrote to memory of 3604	4700	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	89
PID 4700 wrote to memory of 3604	4700	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	89
PID 4700 wrote to memory of 3604	4700	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	89
PID 3604 wrote to memory of 1076	3604	omsecor.exe	90
PID 3604 wrote to memory of 1076	3604	omsecor.exe	90
PID 3604 wrote to memory of 1076	3604	omsecor.exe	90
PID 3604 wrote to memory of 1076	3604	omsecor.exe	90
PID 3604 wrote to memory of 1076	3604	omsecor.exe	90
PID 1076 wrote to memory of 224	1076	omsecor.exe	118
PID 1076 wrote to memory of 224	1076	omsecor.exe	118
PID 1076 wrote to memory of 224	1076	omsecor.exe	118
PID 224 wrote to memory of 1280	224	omsecor.exe	119
PID 224 wrote to memory of 1280	224	omsecor.exe	119
PID 224 wrote to memory of 1280	224	omsecor.exe	119
PID 224 wrote to memory of 1280	224	omsecor.exe	119
PID 224 wrote to memory of 1280	224	omsecor.exe	119
PID 1280 wrote to memory of 4984	1280	omsecor.exe	121
PID 1280 wrote to memory of 4984	1280	omsecor.exe	121
PID 1280 wrote to memory of 4984	1280	omsecor.exe	121
PID 4984 wrote to memory of 2176	4984	omsecor.exe	122
PID 4984 wrote to memory of 2176	4984	omsecor.exe	122
PID 4984 wrote to memory of 2176	4984	omsecor.exe	122
PID 4984 wrote to memory of 2176	4984	omsecor.exe	122
PID 4984 wrote to memory of 2176	4984	omsecor.exe	122

C:\Users\Admin\AppData\Local\Temp\2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 256
        8⤵
        Program crash
        
        PID:2904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 292
        6⤵
        Program crash
        
        PID:464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 296
      4⤵
      Program crash
      PID:2144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 304
  2⤵
  - Program crash
  PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3684 -ip 3684
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3604 -ip 3604
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 224 -ip 224
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4984 -ip 4984
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
69111e41c56778c5b36dbbe7b30f681a

SHA1
03653f57a6dcfceaf458a4563f4cc33525fd051e

SHA256
c8d9932f84d25fac0707088522b1435883d28dce98f60c2d403a18dbc0557007

SHA512
451a824f8ffe5615b2ce6dccc489d02a1e7361b45e8d8d04e6c4bc5e9b5497826b03443e8d98e0a3642bf332abfc99cee2d64b66f93788651f4f211db9377ebb

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
de83d8b724f1e091a1659ce9be3381f5

SHA1
34b23a2b20822adaeb17ec77212f9c7287f3de06

SHA256
81cdeddd3e2e5add19a84ab6f9c59db3ba66cc320b48db1c57b0fcc489b2633e

SHA512
cc23292bd7af721c5b2ddb51114a0dcec45376de6f556e10407d0795651ac71380535c1c7fbbe82020577bf3dedbd78bc9238b022c61fa2955510ecb80f10f68

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
081d3bbe67c514cdd97d73f09de9d9d7

SHA1
93adfb7129551c1b78618afa51e7f9ebf467dbd5

SHA256
9f60b4b6197b36ba391417d97eabfa2d033f98b83cb099b3e7568bd0dcd6b8a4

SHA512
a5e0dc38b4c2308648e75de6c74b258bb17660ac12104d5517d58e53b2340e178c399e6fa20b424903ce3973b73c4313c78fcac889ae21c16a7b89efc2f47c69

Download Submit
memory/224-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/224-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1076-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1076-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1280-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2176-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3604-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3604-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3684-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3684-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4700-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4984-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download