neconyd | 906dcd9e68e33dc07c376c30eeddaa5aaaed6e1b176ed576ea45f0d34394d843

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

64b3c6da0b94cde086a7140c945d80a4
SHA1

03abdaa660be2c5361cde3a0d292ac0a22cce2e9
SHA256

906dcd9e68e33dc07c376c30eeddaa5aaaed6e1b176ed576ea45f0d34394d843
SHA512

1deb1435a767a2abe8a00a0d3421f0cd89a8d1220b1c405f75e33ebdbf0f5dafa277c13c9ebb83252e71e4794c30de77f80833e0cd4b0834a896cf2a92f1a177
SSDEEP

1536:pDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCif:ZiRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
232	omsecor.exe
432	omsecor.exe
1384	omsecor.exe
3528	omsecor.exe
920	omsecor.exe
1452	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 4512	5048	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 232 set thread context of 432	232	omsecor.exe	91
PID 1384 set thread context of 3528	1384	omsecor.exe	116
PID 920 set thread context of 1452	920	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4112	5048	WerFault.exe	85
3116	232	WerFault.exe	89
1256	1384	WerFault.exe	115
736	920	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4512	5048	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 5048 wrote to memory of 4512	5048	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 5048 wrote to memory of 4512	5048	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 5048 wrote to memory of 4512	5048	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 5048 wrote to memory of 4512	5048	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	86
PID 4512 wrote to memory of 232	4512	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	89
PID 4512 wrote to memory of 232	4512	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	89
PID 4512 wrote to memory of 232	4512	2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe	89
PID 232 wrote to memory of 432	232	omsecor.exe	91
PID 232 wrote to memory of 432	232	omsecor.exe	91
PID 232 wrote to memory of 432	232	omsecor.exe	91
PID 232 wrote to memory of 432	232	omsecor.exe	91
PID 232 wrote to memory of 432	232	omsecor.exe	91
PID 432 wrote to memory of 1384	432	omsecor.exe	115
PID 432 wrote to memory of 1384	432	omsecor.exe	115
PID 432 wrote to memory of 1384	432	omsecor.exe	115
PID 1384 wrote to memory of 3528	1384	omsecor.exe	116
PID 1384 wrote to memory of 3528	1384	omsecor.exe	116
PID 1384 wrote to memory of 3528	1384	omsecor.exe	116
PID 1384 wrote to memory of 3528	1384	omsecor.exe	116
PID 1384 wrote to memory of 3528	1384	omsecor.exe	116
PID 3528 wrote to memory of 920	3528	omsecor.exe	118
PID 3528 wrote to memory of 920	3528	omsecor.exe	118
PID 3528 wrote to memory of 920	3528	omsecor.exe	118
PID 920 wrote to memory of 1452	920	omsecor.exe	120
PID 920 wrote to memory of 1452	920	omsecor.exe	120
PID 920 wrote to memory of 1452	920	omsecor.exe	120
PID 920 wrote to memory of 1452	920	omsecor.exe	120
PID 920 wrote to memory of 1452	920	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_64b3c6da0b94cde086a7140c945d80a4_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 256
        8⤵
        Program crash
        
        PID:736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 304
        6⤵
        Program crash
        
        PID:1256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 288
      4⤵
      Program crash
      PID:3116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 300
  2⤵
  - Program crash
  PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5048 -ip 5048
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 232 -ip 232
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1384 -ip 1384
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 920 -ip 920
1⤵
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
ce5b51ca466ff99cd0a50d05f65e129b

SHA1
d243572cc2c2c5073c0f696b6eb3512a835341d8

SHA256
60a65d854e39d25c343c6c0def863258c89fb5cd9a951f957690d24ceb909249

SHA512
1af654f86ac71c4a2ddcdb6104dbcc04747426350cf01e17775d13f8decea1021ed2bd22158ad50819ecdaee334ba8133e33bbd1d86f052d7094606f6fc60a4d

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
de83d8b724f1e091a1659ce9be3381f5

SHA1
34b23a2b20822adaeb17ec77212f9c7287f3de06

SHA256
81cdeddd3e2e5add19a84ab6f9c59db3ba66cc320b48db1c57b0fcc489b2633e

SHA512
cc23292bd7af721c5b2ddb51114a0dcec45376de6f556e10407d0795651ac71380535c1c7fbbe82020577bf3dedbd78bc9238b022c61fa2955510ecb80f10f68

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
c7f845294a5759f44a65116e606b897d

SHA1
fd41f4ab9deddfed3a38a2a8265bcdeaf0be6db1

SHA256
d84c778b9e898754b29fe53386eb04d30fb120d7600126517fbdfcc7b58c6df0

SHA512
d5a9a9bbe0442c47a3f4143607636649b4d9b01e508fbd83c54a652895c5db54349a1c5310dc185c3c8ff680e5bcb9a817c7e07cfaad00711dbe364d396ff789

Download Submit
memory/232-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/232-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/432-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/920-45-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1384-51-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1384-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1452-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1452-52-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1452-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1452-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3528-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3528-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3528-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4512-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5048-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download