neconyd | b264879fe92c78c624a3c44b84226aa88527a0cc145b5fb9512072c7ba0042a0

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

6ce4e5b80819c7ca34c36a9b8975600e
SHA1

a3ef623919590606cb12754ad8258c69e5158e1d
SHA256

b264879fe92c78c624a3c44b84226aa88527a0cc145b5fb9512072c7ba0042a0
SHA512

910737b555e38de9ceeed3810bfcf5ba36aa1651ed6beff7caa0359baec097c9c85e60302d8a792134a3c0bdde98207f5d986892c45c399e1d1aad9b950c03a0
SSDEEP

1536:ODfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:wiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1584	omsecor.exe
560	omsecor.exe
5028	omsecor.exe
5588	omsecor.exe
884	omsecor.exe
5576	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1812	1744	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	88
PID 1584 set thread context of 560	1584	omsecor.exe	92
PID 5028 set thread context of 5588	5028	omsecor.exe	118
PID 884 set thread context of 5576	884	omsecor.exe	122

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5396	1744	WerFault.exe	87
2872	1584	WerFault.exe	91
5432	5028	WerFault.exe	117
3544	884	WerFault.exe	120

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1812	1744	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	88
PID 1744 wrote to memory of 1812	1744	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	88
PID 1744 wrote to memory of 1812	1744	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	88
PID 1744 wrote to memory of 1812	1744	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	88
PID 1744 wrote to memory of 1812	1744	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	88
PID 1812 wrote to memory of 1584	1812	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	91
PID 1812 wrote to memory of 1584	1812	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	91
PID 1812 wrote to memory of 1584	1812	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	91
PID 1584 wrote to memory of 560	1584	omsecor.exe	92
PID 1584 wrote to memory of 560	1584	omsecor.exe	92
PID 1584 wrote to memory of 560	1584	omsecor.exe	92
PID 1584 wrote to memory of 560	1584	omsecor.exe	92
PID 1584 wrote to memory of 560	1584	omsecor.exe	92
PID 560 wrote to memory of 5028	560	omsecor.exe	117
PID 560 wrote to memory of 5028	560	omsecor.exe	117
PID 560 wrote to memory of 5028	560	omsecor.exe	117
PID 5028 wrote to memory of 5588	5028	omsecor.exe	118
PID 5028 wrote to memory of 5588	5028	omsecor.exe	118
PID 5028 wrote to memory of 5588	5028	omsecor.exe	118
PID 5028 wrote to memory of 5588	5028	omsecor.exe	118
PID 5028 wrote to memory of 5588	5028	omsecor.exe	118
PID 5588 wrote to memory of 884	5588	omsecor.exe	120
PID 5588 wrote to memory of 884	5588	omsecor.exe	120
PID 5588 wrote to memory of 884	5588	omsecor.exe	120
PID 884 wrote to memory of 5576	884	omsecor.exe	122
PID 884 wrote to memory of 5576	884	omsecor.exe	122
PID 884 wrote to memory of 5576	884	omsecor.exe	122
PID 884 wrote to memory of 5576	884	omsecor.exe	122
PID 884 wrote to memory of 5576	884	omsecor.exe	122

C:\Users\Admin\AppData\Local\Temp\2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5588
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 256
        8⤵
        Program crash
        
        PID:3544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 292
        6⤵
        Program crash
        
        PID:5432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 292
      4⤵
      Program crash
      PID:2872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 288
  2⤵
  - Program crash
  PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1744 -ip 1744
1⤵
PID:1072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1584 -ip 1584
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5028 -ip 5028
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 884 -ip 884
1⤵
PID:5608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
00a3cddbb3b6885ffe7474b2053951ca

SHA1
ddec50f690bec91a68359dbf79ac2af8f354b91c

SHA256
46de38bbe184ecc5f6e98ae106cdf34419dc6a9a452ec638bf247661f55d4088

SHA512
e79e8e0b478c6503ec4196c8c62b61bf048ef3f473aaa536a56ebcc68069af97a74c86d16ae44875f63fb029a4a0243dbe1fe9af65ffa15576b5c9d61f8338e5

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e3521c3e19ab9d47513fc9d43c49ae08

SHA1
80b643a717e8393cfdcb2c4bd0c31265409d0626

SHA256
29b522a8c326dfc24f49f2ea08c28b312b924c7d0240e47c6fe5d1a633aa9680

SHA512
710a615985fc1aa41eeb227c31731ea7f0f467c359a66cac5486ec46f133c49f7b0edad385682bd9f8e53a6a374ffe8e254e51ae117e92393a3d0c05b6b70dde

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
a7f73bd4f63ebfdfe97df5e53266a111

SHA1
f23dc86f8e21967cca7d9845bdd1076becf27f32

SHA256
c7345d4d6eb219b90121985b81811b731a9a75c5ad8efd8c0eb51eda75fdcf7b

SHA512
f617e9f756327231b0ef1f486a73a618abed6d70c02c971334ba93ec75ee435945d884c667877123d2ada49fa4ad040b426940d0ed86be75c9a5bfe18f5db5e5

Download Submit
memory/560-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/560-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/884-50-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/884-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1584-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1584-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1812-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1812-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1812-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1812-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5028-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5028-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5576-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5576-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5576-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5576-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5588-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5588-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5588-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download