neconyd | b264879fe92c78c624a3c44b84226aa88527a0cc145b5fb9512072c7ba0042a0

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
Size

134KB
MD5

6ce4e5b80819c7ca34c36a9b8975600e
SHA1

a3ef623919590606cb12754ad8258c69e5158e1d
SHA256

b264879fe92c78c624a3c44b84226aa88527a0cc145b5fb9512072c7ba0042a0
SHA512

910737b555e38de9ceeed3810bfcf5ba36aa1651ed6beff7caa0359baec097c9c85e60302d8a792134a3c0bdde98207f5d986892c45c399e1d1aad9b950c03a0
SSDEEP

1536:ODfDbhERTatPLTH0iqNZg3mqKv6y0RrwFd1tSEsF27da6ZW72Foj/MqMabadwCia:wiRTeH0iqAW6J6f1tqF6dngNmaZCia

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
5648	omsecor.exe
2240	omsecor.exe
6024	omsecor.exe
5920	omsecor.exe
1716	omsecor.exe
1504	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5660 set thread context of 5776	5660	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	87
PID 5648 set thread context of 2240	5648	omsecor.exe	92
PID 6024 set thread context of 5920	6024	omsecor.exe	117
PID 1716 set thread context of 1504	1716	omsecor.exe	120

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1488	5660	WerFault.exe	86
5412	5648	WerFault.exe	90
4400	6024	WerFault.exe	116
3232	1716	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5660 wrote to memory of 5776	5660	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	87
PID 5660 wrote to memory of 5776	5660	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	87
PID 5660 wrote to memory of 5776	5660	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	87
PID 5660 wrote to memory of 5776	5660	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	87
PID 5660 wrote to memory of 5776	5660	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	87
PID 5776 wrote to memory of 5648	5776	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	90
PID 5776 wrote to memory of 5648	5776	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	90
PID 5776 wrote to memory of 5648	5776	2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe	90
PID 5648 wrote to memory of 2240	5648	omsecor.exe	92
PID 5648 wrote to memory of 2240	5648	omsecor.exe	92
PID 5648 wrote to memory of 2240	5648	omsecor.exe	92
PID 5648 wrote to memory of 2240	5648	omsecor.exe	92
PID 5648 wrote to memory of 2240	5648	omsecor.exe	92
PID 2240 wrote to memory of 6024	2240	omsecor.exe	116
PID 2240 wrote to memory of 6024	2240	omsecor.exe	116
PID 2240 wrote to memory of 6024	2240	omsecor.exe	116
PID 6024 wrote to memory of 5920	6024	omsecor.exe	117
PID 6024 wrote to memory of 5920	6024	omsecor.exe	117
PID 6024 wrote to memory of 5920	6024	omsecor.exe	117
PID 6024 wrote to memory of 5920	6024	omsecor.exe	117
PID 6024 wrote to memory of 5920	6024	omsecor.exe	117
PID 5920 wrote to memory of 1716	5920	omsecor.exe	119
PID 5920 wrote to memory of 1716	5920	omsecor.exe	119
PID 5920 wrote to memory of 1716	5920	omsecor.exe	119
PID 1716 wrote to memory of 1504	1716	omsecor.exe	120
PID 1716 wrote to memory of 1504	1716	omsecor.exe	120
PID 1716 wrote to memory of 1504	1716	omsecor.exe	120
PID 1716 wrote to memory of 1504	1716	omsecor.exe	120
PID 1716 wrote to memory of 1504	1716	omsecor.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5660
- C:\Users\Admin\AppData\Local\Temp\2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
  C:\Users\Admin\AppData\Local\Temp\2025-04-06_6ce4e5b80819c7ca34c36a9b8975600e_amadey_rhadamanthys_smoke-loader.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5776
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5648
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6024
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5920
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 268
        8⤵
        Program crash
        
        PID:3232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 292
        6⤵
        Program crash
        
        PID:4400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 288
      4⤵
      Program crash
      PID:5412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 300
  2⤵
  - Program crash
  PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5660 -ip 5660
1⤵
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5648 -ip 5648
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6024 -ip 6024
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1716 -ip 1716
1⤵
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
26d7ff993c9457f9f2c07ab95d22d92d

SHA1
3af1a679f2f44974e2dd4b654981b64eb6daee6f

SHA256
09f77ca2fe2a7350ad95f70041a9b004296647007185c4b0c1bbb11eb2013bfa

SHA512
5f68c7ac79dfd76b99f9874735b21bda2141917576313210d791fd3b232775381a73774c23d1c165f4943ad976fff57afe932b6a2ec53aea2bb0ad2c19dc4781

Download Submit
C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
134KB

MD5
e3521c3e19ab9d47513fc9d43c49ae08

SHA1
80b643a717e8393cfdcb2c4bd0c31265409d0626

SHA256
29b522a8c326dfc24f49f2ea08c28b312b924c7d0240e47c6fe5d1a633aa9680

SHA512
710a615985fc1aa41eeb227c31731ea7f0f467c359a66cac5486ec46f133c49f7b0edad385682bd9f8e53a6a374ffe8e254e51ae117e92393a3d0c05b6b70dde

Download Submit
C:\Windows\SysWOW64\omsecor.exe

Filesize
134KB

MD5
8c969ac6d303542f6d85aad21e7db660

SHA1
eb4887904846ae80be1f749e017c81e673303542

SHA256
d23bb17aa7c8831c06921bd269ef3b74bfdac6d7b779122ef19a4fe9e5c46669

SHA512
b0f0c05ace74e3a757ec7cad4ec77089cf9aaeef21206f73511c2dd846ed1708526b9d087fda854f5e6b25a4112fe6117553691f489cc9113d5e54ec40e660a8

Download Submit
memory/1504-53-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-50-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-47-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1504-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2240-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2240-15-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5648-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5648-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5660-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5660-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5776-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5776-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5776-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5776-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5920-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5920-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5920-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6024-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/6024-49-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download