neconyd | 97f556671ec56b8897bd9150654d9f9fb621e73f37cffa505b5be0d2085036fa

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

169170127a7b4ef9367184520bb4319e
SHA1

ee6ac067b51fdb110f30552854f877c4e022ea2f
SHA256

97f556671ec56b8897bd9150654d9f9fb621e73f37cffa505b5be0d2085036fa
SHA512

09854322ff90a4524ccfb73b3ae541d9538d4ca8d1d6779f29ce782b8e0c6353c8f8092084ad4b34e9ab77c905dd3db43e770612dd95907b650ff9d08c298852
SSDEEP

1536:zDfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCiP:/iRTeH0iqAW6J6f1tqF6dngNmaZCiaI

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
3656	omsecor.exe
3292	omsecor.exe
4028	omsecor.exe
3640	omsecor.exe
3844	omsecor.exe
1200	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 368 set thread context of 5284	368	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	87
PID 3656 set thread context of 3292	3656	omsecor.exe	91
PID 4028 set thread context of 3640	4028	omsecor.exe	116
PID 3844 set thread context of 1200	3844	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4364	368	WerFault.exe	86
320	3656	WerFault.exe	90
5976	4028	WerFault.exe	115
5872	3844	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 5284	368	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	87
PID 368 wrote to memory of 5284	368	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	87
PID 368 wrote to memory of 5284	368	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	87
PID 368 wrote to memory of 5284	368	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	87
PID 368 wrote to memory of 5284	368	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	87
PID 5284 wrote to memory of 3656	5284	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	90
PID 5284 wrote to memory of 3656	5284	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	90
PID 5284 wrote to memory of 3656	5284	2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe	90
PID 3656 wrote to memory of 3292	3656	omsecor.exe	91
PID 3656 wrote to memory of 3292	3656	omsecor.exe	91
PID 3656 wrote to memory of 3292	3656	omsecor.exe	91
PID 3656 wrote to memory of 3292	3656	omsecor.exe	91
PID 3656 wrote to memory of 3292	3656	omsecor.exe	91
PID 3292 wrote to memory of 4028	3292	omsecor.exe	115
PID 3292 wrote to memory of 4028	3292	omsecor.exe	115
PID 3292 wrote to memory of 4028	3292	omsecor.exe	115
PID 4028 wrote to memory of 3640	4028	omsecor.exe	116
PID 4028 wrote to memory of 3640	4028	omsecor.exe	116
PID 4028 wrote to memory of 3640	4028	omsecor.exe	116
PID 4028 wrote to memory of 3640	4028	omsecor.exe	116
PID 4028 wrote to memory of 3640	4028	omsecor.exe	116
PID 3640 wrote to memory of 3844	3640	omsecor.exe	118
PID 3640 wrote to memory of 3844	3640	omsecor.exe	118
PID 3640 wrote to memory of 3844	3640	omsecor.exe	118
PID 3844 wrote to memory of 1200	3844	omsecor.exe	120
PID 3844 wrote to memory of 1200	3844	omsecor.exe	120
PID 3844 wrote to memory of 1200	3844	omsecor.exe	120
PID 3844 wrote to memory of 1200	3844	omsecor.exe	120
PID 3844 wrote to memory of 1200	3844	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_169170127a7b4ef9367184520bb4319e_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5284
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 256
        8⤵
        Program crash
        
        PID:5872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 292
        6⤵
        Program crash
        
        PID:5976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 288
      4⤵
      Program crash
      PID:320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 288
  2⤵
  - Program crash
  PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 368 -ip 368
1⤵
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3656 -ip 3656
1⤵
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4028 -ip 4028
1⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3844 -ip 3844
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
4ded3f868e3f8b26c7f0d54cb8ab0266

SHA1
b062435eac3a2edc454f1dca1f740ed981e49cbf

SHA256
38c45fd103f10de70d0ce6badaa6a9bee4e9df8402248b46edc84be94f5290ce

SHA512
7c3ced4c5e7d2ec5993587a264c85044155a54ea412bf9b8f1a88b1e2bfe6935266830a2d7035a66873901f6cde6bbf9cd0ca745000ad70a21262add4ce3880c

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
efd7bbf4716cbcf986d55f8b571134d6

SHA1
f279c8ae07fd21acde62b2cc81b02d5a0ff1b980

SHA256
4bcb78b976028949a789412b80d63c89a38addf8ee215714cfff3363d75556a9

SHA512
cdabdab2307941f66962c236610502be297dcaab4159d04ae357e9aae40e0f55b58e37d98140613a2986cd51bf028f151e6a1ea8dadaf4201a426c44bd6970fc

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
275632023c28504f781d4f98d2f42af9

SHA1
8fdf5d41a93de86ddef0d3ca38b752322401b215

SHA256
89be3b1846004458d091a080ba55d0bbd49f96249c8dc947ea523804c75b159f

SHA512
404340b236f3c9ca3b94ab51f5a47a59eb882ca800ca9a98d9ffdb2a84f326cb677f3c003a88e15d54463547cf709c1ef7b948b68956c9d9695571067716c6f6

Download Submit
memory/368-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/368-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1200-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1200-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1200-49-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1200-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3292-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3292-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3292-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3292-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3292-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3292-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3292-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3640-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3640-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3640-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3656-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3656-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3844-44-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4028-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5284-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5284-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5284-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5284-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download